On Wed, 4 Oct 2006, Alexander Sotirov wrote:
> Rewriting the entire function in asm is a lot of unnecessary effort. Why
> didn't
> you add a simple length check and a 5-byte jump to it in the vulnerable
> function?
>
> Patch right before the call to _IE5_SHADETYPE_TEXT::TOKENS::Ptok, check the
>
Gadi Evron wrote:
> Our (ZERT's) VML patch was what you refer to as "real". There was space
> issue with not enough bytes to play with, so Gil Dabah, one of our
> members, re-wrote the vulnerable function in Yasm, compiled it, and
> hard-coded the compiled code into the binary, with room to spare,