Changeset 4198 in vbox for trunk/src/VBox/VMM

Timestamp:

Aug 17, 2007 12:45:19 AM (17 years ago)

Author:

vboxsync

Message:

Corrected selector bounds checking for expand down selectors in DBGFR3AddrFromSelOff.

File:

• trunk/src/VBox/VMM/DBGFAddr.cpp (modified) (2 diffs)

trunk/src/VBox/VMM/DBGFAddr.cpp

@@ -63 +63 @@
         if (VBOX_FAILURE(rc))
             return rc;
-        if (off > SelInfo.cbLimit)
+
+        /* check limit. */
+        if (    (SelInfo.Raw.Gen.u4Type & X86_SEL_TYPE_DOWN)
+            &&  SelInfo.Raw.Gen.u1DescType
+            &&  (   SelInfo.Raw.Gen.u4Type == X86_SEL_TYPE_RO_DOWN
+                 || SelInfo.Raw.Gen.u4Type == X86_SEL_TYPE_RO_DOWN_ACC
+                 || SelInfo.Raw.Gen.u4Type == X86_SEL_TYPE_RW_DOWN
+                 || SelInfo.Raw.Gen.u4Type == X86_SEL_TYPE_RW_DOWN_ACC))
+        {
+            if (!SelInfo.Raw.Gen.u1Granularity && off > UINT32_C(0xffff))
+                return VERR_OUT_OF_SELECTOR_BOUNDS;
+            if (off <= SelInfo.cbLimit)
+                return VERR_OUT_OF_SELECTOR_BOUNDS;
+        }
+        else if (off > SelInfo.cbLimit)
             return VERR_OUT_OF_SELECTOR_BOUNDS;
+
         pAddress->FlatPtr = SelInfo.GCPtrBase + off;
         /** @todo fix this flat selector test! */
@@ -71 +86 @@
             &&  SelInfo.Raw.Gen.u1DefBig)
             pAddress->fFlags = DBGFADDRESS_FLAGS_FLAT;
-        else if (SelInfo.cbLimit <= 0xffff)
+        else if (SelInfo.cbLimit <= UINT32_C(0xffff))
             pAddress->fFlags = DBGFADDRESS_FLAGS_FAR16;
-        else if (SelInfo.cbLimit <= 0xffffffff)
+        else if (SelInfo.cbLimit <= UINT32_C(0xffffffff))
             pAddress->fFlags = DBGFADDRESS_FLAGS_FAR32;
         else