Gerald Pfeifer gerald@pfeifer.com writes:
Looking at this code it becomes clear we perform out of range array accesses in those cases we execute the full loops.
This can't happen. If there's no ret instruction in the entry point we'll have much bigger problems than an out of range access...
On Wed, 3 Oct 2007, Alexandre Julliard wrote:
This can't happen. If there's no ret instruction in the entry point we'll have much bigger problems than an out of range access...
Fair point, I guess you're right. How about the following patch then?
Gerald
Index: relay16.c =================================================================== RCS file: /home/wine/wine/dlls/kernel32/relay16.c,v retrieving revision 1.5 diff -u -3 -p -r1.5 relay16.c --- relay16.c 30 Aug 2007 11:21:56 -0000 1.5 +++ relay16.c 6 Oct 2007 23:28:29 -0000 @@ -320,7 +320,9 @@ static int relay_call_from_16_no_debug( for (j = 0; j < sizeof(call->ret)/sizeof(call->ret[0]); j++) if (call->ret[j] == 0xca66 || call->ret[j] == 0xcb66) break;
- if (call->ret[j] == 0xcb66) /* cdecl */ + if( j >= sizeof(call->ret)/sizeof(call->ret[0]) ) + ERR("failed to find ret instruction in entry point"); + else if (call->ret[j] == 0xcb66) /* cdecl */ { for (i = 0; i < 20; i++, nb_args++) { @@ -424,7 +426,9 @@ int relay_call_from_16( void *entry_poin for (j = 0; j < sizeof(call->ret)/sizeof(call->ret[0]); j++) if (call->ret[j] == 0xca66 || call->ret[j] == 0xcb66) break;
- if (call->ret[j] == 0xcb66) /* cdecl */ + if( j >= sizeof(call->ret)/sizeof(call->ret[0]) ) + ERR("failed to find ret instruction in entry point"); + else if (call->ret[j] == 0xcb66) /* cdecl */ { for (i = 0; i < 20; i++, nb_args++) {
-
Alexandre Julliard -
Gerald Pfeifer