From a089a401ee39c016d7d5c950d4f36e170c5a00e4 Mon Sep 17 00:00:00 2001 From: Josh Bell Date: Mon, 28 Apr 2008 19:40:54 +0000 Subject: svn merge -r 84911:86069 svn+ssh://svn.lindenlab.com/svn/linden/branches/Branch_1-21-Server --> release Backport fixes made in the production branch to the trunk now that it is live on the grid: * DEV-14443 Launcher not producing colo prefix when looking up sim class * DEV-10840 "/etc/init.d/backbone stop" returns before all child backbones exited; "backbone restart" results in defunct children * DEV-12558: Able to make anyone's object shout error messages * QAR-483 user start location migration prelude * QAR-490 havok4-6 * Revert havok4-5/4-6 code changes causing parcel access check issues * Revert QAR-277 sqlite-backbone * DEV-12357 SEC-53: Script that crashes regions * QAR-486 New proc and query for Web Classifieds Fix --- indra/lscript/lscript_execute/lscript_execute.cpp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'indra/lscript/lscript_execute') diff --git a/indra/lscript/lscript_execute/lscript_execute.cpp b/indra/lscript/lscript_execute/lscript_execute.cpp index 12b55c8ea8..6c8b1b40eb 100644 --- a/indra/lscript/lscript_execute/lscript_execute.cpp +++ b/indra/lscript/lscript_execute/lscript_execute.cpp @@ -3027,7 +3027,14 @@ BOOL run_return(U8 *buffer, S32 &offset, BOOL b_print, const LLUUID &id) if (b_print) printf("[0x%X]\tRETURN\n", offset); offset++; - S32 bp = lscript_pop_int(buffer); + + // SEC-53: babbage: broken instructions may allow inbalanced pushes and + // pops which can cause caller BP and return IP to be corrupted, so restore + // SP from BP before popping caller BP and IP. + S32 bp = get_register(buffer, LREG_BP); + set_sp(buffer, bp); + + bp = lscript_pop_int(buffer); set_bp(buffer, bp); offset = lscript_pop_int(buffer); return FALSE; -- cgit v1.2.3