00401048 mov [eax+0x10],ecx
0040104b mov [eax+0x14],ecx
0040104e mov ecx,esi
00401050 mov esi,[esp+0xc]
00401054 mov edx,ecx
00401056 mov [eax],edi
00401058 shr ecx,0x2
0040105b lea edi,[eax+0x18]
0040105e rep movsd
00401060 mov ecx,edx
00401062 and ecx,0x3
00401065 rep movsb
00401067 pop edi
00401068 pop esi
00401069 retThis function is effectively identical to the original version presented earlier,
except for movzx esi,word ptr [esp+0xc]at 00401025. The idea is that
instead of directly loading the buffer length from the stack and adding 0x18 to
it, we now treat it as an unsigned short, which eliminates the possibly of
causing an overflow because the arithmetic is performed using 32-bit registers.
The use of the MOVZXinstruction is crucial here and is discussed in the next
section.Type Conversion Errors
Sometimes software developers don’t fully understand the semantics of the
programming language they are using. These semantics can be critical because
they define (among other things) how data is going to be handled at a low
level. Type conversion errors take place when developers mishandle incoming
data types and perform incorrect conversions on them. For example, consider
the following variant on my famous allocate_objectfunction:allocate_object:
00401021 push esi
00401022 movsx esi,word ptr [esp+0xc]
00401027 push edi
00401028 lea edi,[esi+0x18]
0040102b push edi
0040102c call Chapter7!malloc (004010d9)
00401031 pop ecx
00401032 xor ecx,ecx
00401034 cmp eax,ecx
00401036 jnz Chapter7!allocate_object+0x1b (0040103c)
00401038 xor eax,eax
0040103a jmp Chapter7!allocate_object+0x43 (00401064)
0040103c mov [eax+0x4],ecx
0040103f mov [eax+0x8],ecx260 Chapter 7