svn merge -r 84911:86069 svn+ssh://svn.lindenlab.com/svn/linden/branches/Branch_1-21-Server --> release

Backport fixes made in the production branch to the trunk now that it is live on the grid:
* DEV-14443 Launcher not producing colo prefix when looking up sim class
* DEV-10840 "/etc/init.d/backbone stop" returns before all child backbones exited; "backbone restart" results in defunct children
* DEV-12558: Able to make anyone's object shout error messages
* QAR-483 user start location migration prelude
* QAR-490 havok4-6
* Revert havok4-5/4-6 code changes causing parcel access check issues
* Revert QAR-277 sqlite-backbone
* DEV-12357 SEC-53: Script that crashes regions
* QAR-486 New proc and query for Web Classifieds Fix

1 files changed, 8 insertions, 1 deletions

diff --git a/indra/lscript/lscript_execute/lscript_execute.cpp b/indra/lscript/lscript_execute/lscript_execute.cpp
index 12b55c8ea8..6c8b1b40eb 100644
--- a/indra/lscript/lscript_execute/lscript_execute.cpp
+++ b/indra/lscript/lscript_execute/lscript_execute.cpp
@@ -3027,7 +3027,14 @@ BOOL run_return(U8 *buffer, S32 &offset, BOOL b_print, const LLUUID &id)
 	if (b_print)
 		printf("[0x%X]\tRETURN\n", offset);
 	offset++;
-	S32 bp = lscript_pop_int(buffer);
+	
+	// SEC-53: babbage: broken instructions may allow inbalanced pushes and
+	// pops which can cause caller BP and return IP to be corrupted, so restore
+	// SP from BP before popping caller BP and IP.
+	S32 bp = get_register(buffer, LREG_BP);
+	set_sp(buffer, bp);
+	
+	bp = lscript_pop_int(buffer);
 	set_bp(buffer, bp);
 	offset = lscript_pop_int(buffer);
 	return FALSE;