displacements are stored as unsigned, but are functionally signed ints

so multiplying to expand EVEX compressed offsets can overflow, and that needs to be okay.
iximeow · Dec 17, 2021 · f063f74 · f063f74
1 parent cd98728
commit f063f74
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 3 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,7 @@
+## 1.1.2
+* fix panic when evex instructions with compressed displacements are decoded in
+  debug builds
+
 ## 1.1.1
 * support `endbr64` and `endbr32`
   - these are interpretations of `nop` (`0f1e` wide nop), so the only issue

diff --git a/src/long_mode/evex.rs b/src/long_mode/evex.rs
@@ -11,7 +11,7 @@ fn isa_has_qwords() -> bool {
 }
 
 fn apply_disp_scale(inst: &mut Instruction) {
-    inst.disp *= inst.mem_size as u64;
+    inst.disp = ((inst.disp as i64) * (inst.mem_size as i64)) as u64;
 }
 
 include!("../shared/generated_evex.in");

diff --git a/src/protected_mode/evex.rs b/src/protected_mode/evex.rs
@@ -11,7 +11,7 @@ fn isa_has_qwords() -> bool {
 }
 
 fn apply_disp_scale(inst: &mut Instruction) {
-    inst.disp *= inst.mem_size as u32;
+    inst.disp = ((inst.disp as i32) * (inst.mem_size as i32)) as u32;
 }
 
 include!("../shared/generated_evex.in");

diff --git a/src/real_mode/evex.rs b/src/real_mode/evex.rs
@@ -11,7 +11,7 @@ fn isa_has_qwords() -> bool {
 }
 
 fn apply_disp_scale(inst: &mut Instruction) {
-    inst.disp *= inst.mem_size as u32;
+    inst.disp = ((inst.disp as i32) * (inst.mem_size as i32)) as u32;
 }
 
 include!("../shared/generated_evex.in");

diff --git a/test/long_mode/mod.rs b/test/long_mode/mod.rs
@@ -3390,3 +3390,9 @@ fn test_sevsnp() {
 fn from_llvm() {
     test_display(&[0xf3, 0x0f, 0x3a, 0xf0, 0xc0, 0x01], "hreset 0x1");
 }
+
+#[test]
+fn from_reports() {
+    // negative compressed evex displacements should not overflow and panic
+    test_display(&[0x62, 0xf2, 0x6d, 0xac, 0x00, 0x59, 0xa7], "vpshufb ymm3{k4}{z}, ymm2, ymmword [rcx - 0xb20]");
+}
diff --git a/test/protected_mode/mod.rs b/test/protected_mode/mod.rs
@@ -3077,3 +3077,9 @@ fn test_sevsnp() {
 fn from_llvm() {
     test_display(&[0xf3, 0x0f, 0x3a, 0xf0, 0xc0, 0x01], "hreset 0x1");
 }
+
+#[test]
+fn from_reports() {
+    // negative compressed evex displacements should not overflow and panic
+    test_display(&[0x62, 0xf2, 0x6d, 0xac, 0x00, 0x59, 0xa7], "vpshufb ymm3{k4}{z}, ymm2, ymmword [ecx - 0xb20]");
+}
diff --git a/test/real_mode/mod.rs b/test/real_mode/mod.rs
@@ -18362,3 +18362,9 @@ fn test_invalid_sequences() {
     test_invalid(&[0xf3, 0xf2, 0x0f, 0xae, 0x8f, 0x54, 0x3c, 0x58, 0xb7]);
     test_invalid(&[0xff, 0xd8]);
 }
+
+#[test]
+fn from_reports() {
+    // negative compressed evex displacements should not overflow and panic
+    test_display(&[0x62, 0xf2, 0x6d, 0xac, 0x00, 0x59, 0xa7], "vpshufb ymm3{k4}{z}, ymm2, ymmword [bx + di - 0xb20]");
+}