overlap unfolded stub on Mach-O i386 [SourceForge upx-Bugs-3447184]

2011-12-02 20:51:13 -08:00 · 2011-12-02 20:51:13 -08:00 · adf9aa04ce
commit adf9aa04ce
parent 69f66fbe52
3 changed files with 1939 additions and 1927 deletions
--- a/src/stub/i386-darwin.macho-entry.h
+++ b/src/stub/i386-darwin.macho-entry.h
--- a/src/stub/src/i386-darwin.macho-entry.S
+++ b/src/stub/src/i386-darwin.macho-entry.S
@ -129,6 +129,9 @@ section LEXEC020

 #define PAGE_SIZE ( 1<<12)

+GAP= 128  // > farthest prefetch;               must match ../../p_mach.cpp
+NO_LAP= 64  // avoid overlap for folded loader; must match ../../p_mach.cpp
+
 sz_b_info= 12
  sz_unc= 0
  sz_cpr= 4
@ -136,10 +139,17 @@ sz_b_info= 12

 // Decompress the rest of this loader, and jump to it.
 unfold:
-        pop esi  // &{ b_info:{sz_unc, sz_cpr, 4{byte}}, compressed_data...}
-        mov eax,[sz_cpr + esi]
-        lea edx,[sz_b_info + eax + esi]
-        push edx  // &destination
+        pop ebx  // &{ b_info:{sz_unc, sz_cpr, 4{byte}}, compressed_data...}
+        mov ecx,[sz_cpr + ebx]
+        lea esi,[             -1+ sz_b_info + ecx + ebx]  // &hi_byte folded original
+        mov edi,[sz_unc + ebx]
+        lea edi,[GAP + NO_LAP -1+ sz_b_info + edi + ebx]  // &hi_byte folded copy
+        std; rep movsb  // copy descending
+
+        lea edx,[GAP                              + ebx]  // &unfolded
+        mov esi,ebx  // &b_info
+        lea ebx,[1+ edi]  // &lo_byte folded copy
+        push edx  // &unfolded code
        cld
        lodsd
        push eax  // sz_uncompressed  (maximum dstlen for lzma)
@ -151,13 +161,13 @@ unfold:
        push eax  // sz_compressed  (srclen)
        lodsd
        mov [4*3 + esp],eax // last 4 bytes of b_info
-        push esi  // &compressed_data
+        push ebx  // &copied_compressed_data
        call ebp  // decompress(&src, srclen, &dst, &dstlen, b_info.misc)
        add esp, (5+1)*4  // (5+1) args to decompress
+        lea ebx,[-4+ _start - decompress + ebp]  // &total_length
        ret      // &destination
 main:
        pop ebp  // &decompress
-        lea ebx,[-4+ _start - decompress + ebp]  // &total_length
        call unfold
            // compressed fold_elf86 follows

--- a/src/stub/tmp/i386-darwin.macho-entry.bin.dump
+++ b/src/stub/tmp/i386-darwin.macho-entry.bin.dump
@ -169,7 +169,7 @@ Idx Name          Size      VMA       LMA       File off  Algn  Flags
 164 CTBSWA11      00000005  00000000  00000000  00001ab0  2**0  CONTENTS, READONLY
 165 CALLTR13      00000007  00000000  00000000  00001ab5  2**0  CONTENTS, RELOC, READONLY
 166 LEXEC017      00000002  00000000  00000000  00001abc  2**0  CONTENTS, READONLY
-167 LEXEC020      00000028  00000000  00000000  00001abe  2**0  CONTENTS, READONLY
+167 LEXEC020      0000003f  00000000  00000000  00001abe  2**0  CONTENTS, READONLY
 SYMBOL TABLE:
 00000000 l    d  N2BSMA10	00000000 N2BSMA10
 00000000 l    d  N2BFAS11	00000000 N2BFAS11