by phantombeta » Tue Jun 04, 2019 4:53 pm
I fixed some bugs in my original fix.
PR link
Due to just blindly copying part of what GZDoom did and freeing the arrayvar register before even using it, the bounds value was getting its value from inside the array's elements. Obvious problem there. It both means it doesn't work correctly, and it also means there's a serious buffer overflow exploit there.
Thankfully, though, there was actually another bug that was making it emit BOUND instead of BOUND_R, which broke it even more - but also stopped the buffer overflow exploit from actually being usable at all.
The PR fixes both bugs.
I fixed some bugs in my original fix. [url=https://github.com/coelckers/gzdoom/pull/861]PR link[/url]
Due to just blindly copying part of what GZDoom did and freeing the arrayvar register before even using it, the bounds value was getting its value from inside the array's elements. Obvious problem there. It both means it doesn't work correctly, and it also means there's a serious buffer overflow exploit there.
Thankfully, though, there was actually another bug that was making it emit BOUND instead of BOUND_R, which broke it even more - but also stopped the buffer overflow exploit from actually being usable at all.
The PR fixes both bugs.