<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
<font style="" face="Courier New">> </font><font style="" face="Courier New"><br></font><font style="" face="Courier New">> It doesn't need a try-except block, just better wrap-around handling.</font><font style="" face="Courier New"><br></font><font style="" face="Courier New">> </font><font style="" face="Courier New"><br></font><font style="" face="Courier New"><br></font><font style="" face="Courier New">Ah, you mean to enhance the if-check?</font><font style="" face="Courier New"><br><br>Well..., to me it seems that there is a problem with the 2nd check: </font><font style="" face="Courier New"><br>"</font><font style="" face="Courier New">(void *)(frame + 1) >= NtCurrentTeb()->Tib.StackBase</font><font style="" face="Courier New">"<br><br>If frame is 0xffffffff or close to it </font><font style="" face="Courier New">(e.g. 0xfffffffc)</font><font style="" face="Courier New">, adding 1 to its address makes it overflow and the left side becomes 0x3, or 0x0 in 0xfffffffc's case. And that would make the check fail.<br><br>I would propose that this would be corrected with an additional overflow check.<br> <br>There are two 4 byte values that needs to be read: next frame address and return address. <br>So, it would be checked that address of </font><font style="" face="Courier New">last byte of return address </font><font style="" face="Courier New">(</font><font style="" face="Courier New">frame + 7 bytes)</font><font style="" face="Courier New"> is not smaller than current frame address, right?<br><br>The if-check would then be as follows:<br><br></font><font style="" face="Courier New">if (((void *)frame < NtCurrentTeb()->Tib.StackLimit) ||<br> ((void *)(frame + 1) >= NtCurrentTeb()->Tib.StackBase) ||<br> ((ULONG_PTR)frame & 3) ||<br> ((ULONG)((char *)frame + 7) < (ULONG)frame)</font><font style="" face="Courier New">)<br> ...<br></font><font style="" face="Courier New"><br>I'm not quite sure if casting pointers to ULONG for comparison is wise move, but can't think anything else for that.<br> <br>Do you think there is any problems with this approach?<br><br><br>Other alternative could be to just simply check if the frame pointer equals to 0xfffffffc, that, combined with "</font><font style="" face="Courier New">(ULONG_PTR)frame & 3</font><font style="" face="Courier New">" should handle all cases near 0xffffffff.<br><br>Best Regards,<br>Janne<br><br></font><font style="" face="Courier New"><br><br></font> </body>
</html>