04-24-2005, 01:35 AM
It seem that this is a bug ?
Translates in ASM (for the function part)
First 52 bytes of local datas are reserved on the stack (sub esp, 52)(1)
...
Then 24 bytes of these 52 bytes are "Freed "
(add esp, 24)(2)
...
Then the "freed space" is read/Write ! (3) & (4)
mov dword ptr [ebp-52], 33
mov eax, dword ptr [ebp-52]
That [ebp+52] is a space below esp, thus in free stack space and may be overwriten by any push, call ...
erdemal
Code:
Dim myLong As Long
myLong = &HAABBCCDD
''
Function myFunc (Arg1 As Long) As Long
Dim myArray (0 To 3) As Long => {1, 2, 3, 4}
Dim myData As Long
myData = 33
Function = myData
End Function
''
Print Hex$(myFunc (myLong))
Print " *** FINISHED OK *** "
Translates in ASM (for the function part)
Code:
.globl _MYFUNC@4
_MYFUNC@4:
push ebp
mov ebp, esp
sub esp,52 ; (1) ??????????????
push ebx
push esi
push edi
lea edi, [ebp-52]
mov ecx,13
xor eax, eax
rep stosd
_t0004:
push 3
push 0
push 1
push 4
lea eax, [ebp-20]
push eax
lea eax, [ebp-48]
push eax
call _fb_ArraySetDesc
add esp, 24 ; (2) ?????????????
mov dword ptr [ebp-20], 1
mov dword ptr [ebp-16], 2
mov dword ptr [ebp-12], 3
mov dword ptr [ebp-8], 4
mov dword ptr [ebp-52], 33 ; (3) ?????????????
mov eax, dword ptr [ebp-52] ; (4) ?????????????
mov dword ptr [ebp-4], eax
_t0003:
mov eax, dword ptr [ebp-4]
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
ret 4
First 52 bytes of local datas are reserved on the stack (sub esp, 52)(1)
...
Then 24 bytes of these 52 bytes are "Freed "
(add esp, 24)(2)
...
Then the "freed space" is read/Write ! (3) & (4)
mov dword ptr [ebp-52], 33
mov eax, dword ptr [ebp-52]
That [ebp+52] is a space below esp, thus in free stack space and may be overwriten by any push, call ...
erdemal