From f3629d9938d25a24c28c8918428bf83ec59746ec Mon Sep 17 00:00:00 2001 From: David Fifield Date: Sun, 5 Sep 2021 15:41:13 -0600 Subject: [PATCH] Avoid overflow in ceil(exepack_size/16) in stub. I noticed this while trying to run tests/maxlen_maxrelocs_compressible.packed.exe, which has an exepack_size of 0xffff. The program doesn't run in DOSBox anyway, unless I reduce the size of the uncompressed data in the test. (I'm guessing it has something to do with a too-large stack pointer.) But if I altered the test to use `len = 0x1f000`, then DOSBox would run it, and before this change crash due to the overflow. --- CHANGELOG | 7 +++++++ src/stub.asm | 3 ++- src/stub.bin | Bin 283 -> 283 bytes 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 8ebf4a0..f87be97 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,12 @@ ## v1.3.0 +The decompression stub now works when the size of the EXEPACK block +(exepack_size in the EXEPACK header) is 0xfff1 or greater. Such a large +EXEPACK block is only possible if the packed relocation table contains +between 32,594 and 32,601 entries. Previously, in this case, the +computation (exepack_size + 15)/16 resulted in an integer overflow, and +an incorrect computation of where to copy the EXEPACK block at runtime. + ## v1.2.0 2021-09-04 diff --git a/src/stub.asm b/src/stub.asm index d26ccc2..b7ece04 100644 --- a/src/stub.asm +++ b/src/stub.asm @@ -59,7 +59,8 @@ copy_exepack_block: mov dx, ds mov ax, cx add ax, 15 - shr ax, 4 + rcr ax, 1 ; shift in the carry flag, in case (exepack_size + 15) overflowed + shr ax, 3 add ax, dx ; ax = ds + ceil(exepack_size/16) mov dx, bx diff --git a/src/stub.bin b/src/stub.bin index 12591c4621ae83e9b08f380f7d1506c0e1c2d875..fda49d41ff9481601c681389f5e71b2615ba3276 100644 GIT binary patch delta 50 zcmV-20L}lK0-FMm6d=*q!RP}4(23du77PG6&~pNb(2l?{_A&qSq>jQ+Xkd{tS^;2@ IjbM@QEHE<`&;S4c delta 50 zcmV-20L}lK0-FMm6du9o1Od>A+5;9006EZe0*TO$z%lkQ|MR4d!cb^lku+KXVv&zv I0g#dIEe_EYy8r+H