On Mon, Feb 13, 2017 at 10:41 AM, Sebastian Lackner <sebastian@fds-team.de> wrote:

Adding those fields should work, but it is a bit dangerous because we only have
limited space. I would suggest adding asserts to ensure we never make this struct
too big. Something like this should work:

C_ASSERT( FIELD_OFFSET(TEB, SpareBytes1) + sizeof(struct ntdll_thread_data) <=
FIELD_OFFSET(TEB, GdiTebBatch) + sizeof(((TEB *)0)->GdiTebBatch) );

Is the following acceptable:

C_ASSERT( sizeof(struct ntdll_thread_data) <= FIELD_OFFSET(TEB, gdiRgn) - FIELD_OFFSET(TEB, SpareBytes1) );

It should be equivalent, but it is shorter and has less parenthesis.

Probably we should also use it for important i386 fields, to ensure they are not
moved.

#ifdef __i386__
C_ASSERT( FIELD_OFFSET(TEB, SpareBytes1) + FIELD_OFFSET(struct ntdll_thread_data, vm86) == FIELD_OFFSET(TEB, GdiTebBatch) );
C_ASSERT( FIELD_OFFSET(TEB, SpareBytes1) + FIELD_OFFSET(struct ntdll_thread_data, vm86) == 0x1fc );
C_ASSERT( FIELD_OFFSET(TEB, SpareBytes1) + FIELD_OFFSET(struct ntdll_thread_data, gs) == 0x1d8 );
#endif

Looks good to me. I'll add that to the patch.

-Andrew