On 14/03/12 21:59, Sean Kelly wrote:
On Mar 14, 2012, at 1:54 PM, FeepingCreature wrote:
I think that case is sufficiently rare that it'd have to count somewhere between "act of
god" and "outright developer malice". The assumption that the stack frame is valid
is, I'd say, safe to make in the vast majority of cases. You pretty much have to actively try to
break it, for no clearly discernible reason.
The prevalence of buffer overflow attacks might suggest otherwise.
void foo()
{
bar();
}
void bar()
{
int y;
int *p = &y;
p[1] = 0;
}
The assignment to p[1]=0 clobbers the location where EBP was pushed.
Then:
mov ESP, EBP; // ESP is OK
pop EBP; // EBP is now 0
ret;
now return to foo, where we get:
call bar;
-> mov ESP, EBP; // ESP is now 0
pop EBP; // segfault
ret
Unfortunately it's not difficult to corrupt ESP.