diff options
| author | iximeow <me@iximeow.net> | 2021-12-16 19:58:15 -0800 |
|---|---|---|
| committer | iximeow <me@iximeow.net> | 2021-12-16 20:01:26 -0800 |
| commit | f063f747c21548329170fd09fd09d391b2277aed (patch) | |
| tree | 38159b9379c7f7c081554d431f78872b5a465e92 | |
| parent | cd987288f0334b9888174f4ccc2d1f564388e994 (diff) | |
displacements are stored as unsigned, but are functionally signed ints
so multiplying to expand EVEX compressed offsets can overflow, and that
needs to be okay.
| -rw-r--r-- | CHANGELOG | 4 | ||||
| -rw-r--r-- | src/long_mode/evex.rs | 2 | ||||
| -rw-r--r-- | src/protected_mode/evex.rs | 2 | ||||
| -rw-r--r-- | src/real_mode/evex.rs | 2 | ||||
| -rw-r--r-- | test/long_mode/mod.rs | 6 | ||||
| -rw-r--r-- | test/protected_mode/mod.rs | 6 | ||||
| -rw-r--r-- | test/real_mode/mod.rs | 6 |
7 files changed, 25 insertions, 3 deletions
@@ -1,3 +1,7 @@ +## 1.1.2 +* fix panic when evex instructions with compressed displacements are decoded in + debug builds + ## 1.1.1 * support `endbr64` and `endbr32` - these are interpretations of `nop` (`0f1e` wide nop), so the only issue diff --git a/src/long_mode/evex.rs b/src/long_mode/evex.rs index 7f456e7..5c0967b 100644 --- a/src/long_mode/evex.rs +++ b/src/long_mode/evex.rs @@ -11,7 +11,7 @@ fn isa_has_qwords() -> bool { } fn apply_disp_scale(inst: &mut Instruction) { - inst.disp *= inst.mem_size as u64; + inst.disp = ((inst.disp as i64) * (inst.mem_size as i64)) as u64; } include!("../shared/generated_evex.in"); diff --git a/src/protected_mode/evex.rs b/src/protected_mode/evex.rs index cb0a4ba..2ef91b6 100644 --- a/src/protected_mode/evex.rs +++ b/src/protected_mode/evex.rs @@ -11,7 +11,7 @@ fn isa_has_qwords() -> bool { } fn apply_disp_scale(inst: &mut Instruction) { - inst.disp *= inst.mem_size as u32; + inst.disp = ((inst.disp as i32) * (inst.mem_size as i32)) as u32; } include!("../shared/generated_evex.in"); diff --git a/src/real_mode/evex.rs b/src/real_mode/evex.rs index 9840b35..b63c08d 100644 --- a/src/real_mode/evex.rs +++ b/src/real_mode/evex.rs @@ -11,7 +11,7 @@ fn isa_has_qwords() -> bool { } fn apply_disp_scale(inst: &mut Instruction) { - inst.disp *= inst.mem_size as u32; + inst.disp = ((inst.disp as i32) * (inst.mem_size as i32)) as u32; } include!("../shared/generated_evex.in"); diff --git a/test/long_mode/mod.rs b/test/long_mode/mod.rs index 1efa74e..ee0ab4e 100644 --- a/test/long_mode/mod.rs +++ b/test/long_mode/mod.rs @@ -3390,3 +3390,9 @@ fn test_sevsnp() { fn from_llvm() { test_display(&[0xf3, 0x0f, 0x3a, 0xf0, 0xc0, 0x01], "hreset 0x1"); } + +#[test] +fn from_reports() { + // negative compressed evex displacements should not overflow and panic + test_display(&[0x62, 0xf2, 0x6d, 0xac, 0x00, 0x59, 0xa7], "vpshufb ymm3{k4}{z}, ymm2, ymmword [rcx - 0xb20]"); +} diff --git a/test/protected_mode/mod.rs b/test/protected_mode/mod.rs index 4b8ca8d..70dfb78 100644 --- a/test/protected_mode/mod.rs +++ b/test/protected_mode/mod.rs @@ -3077,3 +3077,9 @@ fn test_sevsnp() { fn from_llvm() { test_display(&[0xf3, 0x0f, 0x3a, 0xf0, 0xc0, 0x01], "hreset 0x1"); } + +#[test] +fn from_reports() { + // negative compressed evex displacements should not overflow and panic + test_display(&[0x62, 0xf2, 0x6d, 0xac, 0x00, 0x59, 0xa7], "vpshufb ymm3{k4}{z}, ymm2, ymmword [ecx - 0xb20]"); +} diff --git a/test/real_mode/mod.rs b/test/real_mode/mod.rs index 6dcc3a2..b13358a 100644 --- a/test/real_mode/mod.rs +++ b/test/real_mode/mod.rs @@ -18362,3 +18362,9 @@ fn test_invalid_sequences() { test_invalid(&[0xf3, 0xf2, 0x0f, 0xae, 0x8f, 0x54, 0x3c, 0x58, 0xb7]); test_invalid(&[0xff, 0xd8]); } + +#[test] +fn from_reports() { + // negative compressed evex displacements should not overflow and panic + test_display(&[0x62, 0xf2, 0x6d, 0xac, 0x00, 0x59, 0xa7], "vpshufb ymm3{k4}{z}, ymm2, ymmword [bx + di - 0xb20]"); +} |