Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitd6bf4b3

Browse files
author
Anadote
committed
Moved Stack increment higher
This can potentially be turned into a information leak.If SP = 1023, then it will pass the check before being updated to 1024.This gives us a OOB, which allows u to set the value of SP to 0-0xffff.With careful heap control, you can get a pointer.This can be stored/examined by the program using ret,as they do not do an upper bound check.
1 parent9c5c23a commitd6bf4b3

File tree

1 file changed

+2
-3
lines changed

1 file changed

+2
-3
lines changed

‎src/simple-vm-opcodes.c‎

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1164,6 +1164,8 @@ void op_stack_call(struct svm *svm)
11641164

11651165

11661166
intsp_size=sizeof(svm->stack) /sizeof(svm->stack[0]);
1167+
svm->SP+=1;
1168+
11671169
if (svm->SP >=sp_size)
11681170
svm_default_error_handler(svm,"stack overflow - stack is full!");
11691171

@@ -1172,9 +1174,6 @@ void op_stack_call(struct svm *svm)
11721174
* on the stack so that the "ret(urn)" instruction will go
11731175
* to the correct place.
11741176
*/
1175-
svm->SP+=1;
1176-
1177-
11781177
svm->stack[svm->SP]=svm->ip+1;
11791178

11801179
/**

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp