]> git.rm.cloudns.org Git - xonotic/darkplaces.git/commitdiff
bounds check function calls, and entity indexes in LOAD instructions
authordivverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Wed, 19 Aug 2009 06:19:36 +0000 (06:19 +0000)
committerdivverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Wed, 19 Aug 2009 06:19:36 +0000 (06:19 +0000)
git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@9127 d7cf8633-e32d-0410-b094-e92efae38249

prvm_execprogram.h

index 86596615c509f6269836acf8c6eb83dd192d88dd..43d047458a5a5f705d3bd5974e1ebadfd7d9ec4d 100644 (file)
@@ -3,7 +3,7 @@
 
                while (1)
                {
-                       st++; // TODO bounds check
+                       st++;
 
 #if PRVMTRACE
                        PRVM_PrintStatement(st);
                        case OP_LOAD_S:
                        case OP_LOAD_FNC:
 #if PRVMBOUNDSCHECK
+                               if (OPA->edict < 0 || OPA->edict >= prog->edictareasize)
+                               {
+                                       prog->xfunction->profile += (st - startst);
+                                       prog->xstatement = st - prog->statements;
+                                       PRVM_ERROR ("%s Progs attempted to read an out of bounds edict number", PRVM_NAME);
+                                       goto cleanup;
+                               }
                                if ((unsigned int)(OPB->_int) >= (unsigned int)(prog->progs->entityfields))
                                {
                                        prog->xfunction->profile += (st - startst);
                                        goto cleanup;
                                }
 #endif
-                               ed = PRVM_PROG_TO_EDICT(OPA->edict); // TODO bounds check entity number
+                               ed = PRVM_PROG_TO_EDICT(OPA->edict);
                                OPC->_int = ((prvm_eval_t *)((int *)ed->fields.vp + OPB->_int))->_int;
                                break;
 
                        case OP_LOAD_V:
 #if PRVMBOUNDSCHECK
+                               if (OPA->edict < 0 || OPA->edict >= prog->edictareasize)
+                               {
+                                       prog->xfunction->profile += (st - startst);
+                                       prog->xstatement = st - prog->statements;
+                                       PRVM_ERROR ("%s Progs attempted to read an out of bounds edict number", PRVM_NAME);
+                                       goto cleanup;
+                               }
                                if (OPB->_int < 0 || OPB->_int + 2 >= prog->progs->entityfields)
                                {
                                        prog->xfunction->profile += (st - startst);
                                        goto cleanup;
                                }
 #endif
-                               ed = PRVM_PROG_TO_EDICT(OPA->edict); // TODO bounds check entity number
+                               ed = PRVM_PROG_TO_EDICT(OPA->edict);
                                OPC->ivector[0] = ((prvm_eval_t *)((int *)ed->fields.vp + OPB->_int))->ivector[0];
                                OPC->ivector[1] = ((prvm_eval_t *)((int *)ed->fields.vp + OPB->_int))->ivector[1];
                                OPC->ivector[2] = ((prvm_eval_t *)((int *)ed->fields.vp + OPB->_int))->ivector[2];
                                        prog->xfunction->profile += (st - startst);
                                        st += st->b - 1;        // offset the s++
                                        startst = st;
+                                       // no bounds check needed, it is done when loading progs
 #if PRVMRUNAWAYCHECK
                                        if (++jumpcount == 10000000)
                                        {
                                        prog->xfunction->profile += (st - startst);
                                        st += st->b - 1;        // offset the s++
                                        startst = st;
+                                       // no bounds check needed, it is done when loading progs
 #if PRVMRUNAWAYCHECK
                                        if (++jumpcount == 10000000)
                                        {
                                prog->xfunction->profile += (st - startst);
                                st += st->a - 1;        // offset the s++
                                startst = st;
+                               // no bounds check needed, it is done when loading progs
 #if PRVMRUNAWAYCHECK
                                if (++jumpcount == 10000000)
                                {
                                prog->argc = st->op - OP_CALL0;
                                if (!OPA->function)
                                        PRVM_ERROR("NULL function in %s", PRVM_NAME);
-                               newf = &prog->functions[OPA->function]; // TODO bounds check function
+
+#if PRVMBOUNDSCHECK
+                               if(!OPA->function || OPA->function >= (unsigned int)prog->progs->numfunctions)
+                               {
+                                       prog->xfunction->profile += (st - startst);
+                                       prog->xstatement = st - prog->statements; // we better stay on the previously executed statement
+                                       PRVM_ERROR("%s CALL outside the program", PRVM_NAME);
+                                       goto cleanup;
+                               }
+#endif
+
+                               newf = &prog->functions[OPA->function];
                                newf->callcount++;
 
                                if (newf->first_statement < 0)