commit e802acf1b449c6471c1c0cbf81703e671b6afd3e
parent ee46cb411e2dfe6703ba8692f62eb39ec7d8a5fe
Author: Greg Stoll <gstoll@mozilla.com>
Date: Tue, 28 Oct 2025 15:19:16 +0000
Bug 1919213 part 1 - in patcher, treat single byte jmp offsets as signed r=yjuglaret,win-reviewers,handyman
Single byte offsets to a jmp instruction are signed, not unsigned.
Differential Revision: https://phabricator.services.mozilla.com/D268651
Diffstat:
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/toolkit/xre/dllservices/mozglue/interceptor/PatcherDetour.h b/toolkit/xre/dllservices/mozglue/interceptor/PatcherDetour.h
@@ -1536,7 +1536,14 @@ class WindowsDllDetourPatcher final
const JumpType kJumpTypes[] = {JumpType::Jae, JumpType::Je,
JumpType::Jne};
auto jumpType = kJumpTypes[*origBytes - 0x73];
- uint8_t offset = origBytes[1];
+ int8_t offset = origBytes[1];
+ if (offset < 0) {
+ // We don't support backwards relative jumps. If we want to in the
+ // future we should find a good way to test them.
+ MOZ_ASSERT_UNREACHABLE(
+ "Unrecognized opcode sequence - backwards relative jump");
+ return;
+ }
origBytes += 2;
diff --git a/toolkit/xre/dllservices/mozglue/interceptor/TargetFunction.h b/toolkit/xre/dllservices/mozglue/interceptor/TargetFunction.h
@@ -818,7 +818,7 @@ class MOZ_STACK_CLASS ReadOnlyTargetFunction final {
uint32_t GetOffset() const { return mOffset; }
- uintptr_t OffsetToAbsolute(const uint8_t aOffset) const {
+ uintptr_t OffsetToAbsolute(const int8_t aOffset) const {
return mTargetBytes->GetBase() + mOffset + aOffset;
}
