Index: vm_x86.c =================================================================== --- vm_x86.c (revision 1962) +++ vm_x86.c (working copy) @@ -107,6 +107,10 @@ static ELastCommand LastCommand; +static void ErrJump( void ) { Com_Error( ERR_DROP, "program tried to execute code outside VM\n" ); } + +static void (*const errJumpPtr)(void) = ErrJump; + /* ================= AsmCall @@ -124,13 +128,21 @@ sub edi, 4 test eax,eax jl systemCall + cmp eax, [callMask] + jae badAddr // calling another vm function shl eax,2 add eax, dword ptr [instructionPointers] call dword ptr [eax] mov eax, dword ptr [edi] - and eax, [callMask] ret +badAddr: + call ErrJump + // leave something on the opstack + //add edi, 4 + //mov dword ptr [edi], 0 + //ret + systemCall: // convert negative num to system call number @@ -212,12 +224,18 @@ "subl $4, %edi\n\t" "testl %eax, %eax\n\t" "jl 0f\n\t" + "cmpl " CMANGVAR(callMask) ", %eax\n\t" + "jae 1f\n\t" "shll $2, %eax\n\t" "addl " CMANGVAR(instructionPointers) ", %eax\n\t" "call *(%eax)\n\t" "movl (%edi), %eax\n\t" - "andl " CMANGVAR(callMask) ", %eax\n\t" "ret\n" + "1:\n\t" // bad address, leave something on the opstack + "call " CMANGFUNC(ErrJump) "\n\t" + //"addl $4, %edi\n\t" + //"movl $0, (%edi)\n\t" + //"ret\n\t" "0:\n\t" // system call "notl %eax\n\t" "pushl %ebp\n\t" @@ -424,10 +442,12 @@ */ void VM_Compile( vm_t *vm, vmHeader_t *header ) { int op; + int op1; int maxLength; int v; int i; qboolean opt; + qboolean cjump; int jusedSize = header->instructionCount + 2; // allocate a very large temp buffer, we will shrink it later @@ -454,6 +474,7 @@ instruction = 0; code = (byte *)header + header->codeOffset; compiledOfs = 0; + cjump = qfalse; LastCommand = LAST_COMMAND_NONE; @@ -582,6 +603,7 @@ Emit4( lastConst ); if (code[pc] == OP_JUMP) { JUSED(lastConst); + cjump = qtrue; } break; case OP_LOCAL: @@ -1076,11 +1098,26 @@ break; case OP_JUMP: - EmitCommand(LAST_COMMAND_SUB_DI_4); // sub edi, 4 - EmitString( "8B 47 04" ); // mov eax,dword ptr [edi+4] - // FIXME: range check - EmitString( "FF 24 85" ); // jmp dword ptr [instructionPointers + eax * 4] - Emit4( (int)vm->instructionPointers ); + if ( cjump == qtrue && !jused[pc-1] ) { + // we don't need any checks there because jump target + // is known and already validated by JUSED macro + EmitCommand(LAST_COMMAND_SUB_DI_4); // sub edi, 4 + EmitString( "8B 47 04" ); // mov eax,dword ptr [edi+4] + EmitString( "FF 24 85" ); // jmp dword ptr [instructionPointers + eax * 4] + Emit4( (int)vm->instructionPointers ); + } else { + // perform runtime range checks + EmitCommand(LAST_COMMAND_SUB_DI_4); // sub edi, 4 + EmitString( "8B 47 04" ); // mov eax,dword ptr [edi+4] + EmitString( "3B 05" ); // cmp eax,[callMask] + Emit4( (int)&callMask ); + EmitString( "73 07" ); // jae +7 + EmitString( "FF 24 85" ); // jmp dword ptr [instructionPointers + eax * 4] + Emit4( (int)vm->instructionPointers ); + EmitString( "FF 15" ); // call errJumpPtr + Emit4( (int)&errJumpPtr ); + } + cjump = qfalse; break; default: VMFREE_BUFFERS(); @@ -1159,8 +1196,10 @@ byte *image; void *opStack; int *oldInstructionPointers; + int oldCallMask; oldInstructionPointers = instructionPointers; + oldCallMask = callMask; currentVM = vm; instructionPointers = vm->instructionPointers; @@ -1168,7 +1207,7 @@ // interpret the code vm->currentlyInterpreting = qtrue; - callMask = vm->dataMask; + callMask = vm->instructionCount; // we might be called recursively, so this might not be the very top programStack = vm->programStack; @@ -1239,6 +1278,7 @@ // in case we were recursively called by another vm instructionPointers = oldInstructionPointers; + callMask = oldCallMask; return *(int *)opStack; }