Gadi Evron wrote: > Our (ZERT's) VML patch was what you refer to as "real". There was space > issue with not enough bytes to play with, so Gil Dabah, one of our > members, re-wrote the vulnerable function in Yasm, compiled it, and > hard-coded the compiled code into the binary, with room to spare, saving > functionality. Code crunching is back in style. :) Rewriting the entire function in asm is a lot of unnecessary effort. Why didn't you add a simple length check and a 5-byte jump to it in the vulnerable function? Patch right before the call to _IE5_SHADETYPE_TEXT::TOKENS::Ptok, check the length of the string, and you're done. Or you can patch the copy loop and count the characters there. It's easier and safer than rewriting the function. Alex
