Off-by-one access in fillRegister

[0vercl0k]

Hello,

The following bytes '\x44\x0f\xf8\x41\x8b' (disassembled as psubb mm0,mmword ptr [rcx-75h] by windbg) triggers an off-by-one in the RegistersMMX global variable:

void __bea_callspec__ fillRegister(int index, OPTYPE* pMyOperand, PDISASM pMyDisasm)
{
    size_t i = 0;
    switch(GV.Register_) {
      // ...
      case MMX_REG:
        #ifndef BEA_LIGHT_DISASSEMBLY
           (void) strcpy ((char*) pMyOperand->OpMnemonic+i, RegistersMMX[index]);
        #endif

The index variable is off-by-one:

08 0000002f`75dfce10 00007ff7`b1172f2a     rp_win_x64!fillRegister(int index = 0n8, struct OPTYPE * pMyOperand = 0x0000002f`75dfe06c, struct _Disasm * pMyDisasm = 0x0000002f`75dfdecc)+0x598 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 105] 

Cheers

[0vercl0k]

There's a similar case with the bytes '\x62' in the below case:

  default:
    switch (GV.OperandSize) {
    case 16:
#ifndef BEA_LIGHT_DISASSEMBLY
      (void)strcpy((char *)pMyOperand->OpMnemonic + i, Registers16Bits[index]);

index is out-of-bounds:

08 00000054`5b6fd190 00007ff7`f6fb2f2a     rp_win_x64!fillRegister(int index = 0n23, struct OPTYPE * pMyOperand = 0x00000054`5b6fe690, struct _Disasm * pMyDisasm = 0x00000054`5b6fe42c)+0xde5 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 180] 
09 00000054`5b6fd410 00007ff7`f7041e09     rp_win_x64!decodeRegOpcode(struct OPTYPE * pMyOperand = 0x00000054`5b6fe690, struct _Disasm * pMyDisasm = 0x00000054`5b6fe42c)+0x32a [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 238] 
0a 00000054`5b6fd4d0 00007ff7`f70b014a     rp_win_x64!vextractf128(struct _Disasm * pMyDisasm = 0x00000054`5b6fe42c)+0x2e9 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\instr_set\instructions_list.c @ 15002] 
0b 00000054`5b6fd630 00007ff7`f6fa3226     rp_win_x64!bound_(struct _Disasm * pMyDisasm = 0x00000054`5b6fe42c)+0xd3a [C:\work\codes\rp\src\third_party\beaengine\src\Includes\instr_set\instructions_list.c @ 713] 
0c 00000054`5b6fdb00 00007ff7`f70b4f9a     rp_win_x64!AnalyzeOpcode(struct _Disasm * pMyDisasm = 0x00000054`5b6fe42c)+0x166 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c @ 222] 

Cheers

[0vercl0k]

Same with '\x4f' in:

    case 64:
#ifndef BEA_LIGHT_DISASSEMBLY
        (void)strcpy((char *)pMyOperand->OpMnemonic + i,
                     Registers64Bits[index]);

08 00000095`2f9fcf50 00007ff6`444c2f2a     rp_win_x64!fillRegister(int index = 0n30, struct OPTYPE * pMyOperand = 0x00000095`2f9fe600, struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x106b [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 203] 
09 00000095`2f9fd1e0 00007ff6`444b26c1     rp_win_x64!decodeRegOpcode(struct OPTYPE * pMyOperand = 0x00000095`2f9fe600, struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x32a [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 243] 
0a 00000095`2f9fd2a0 00007ff6`444e123a     rp_win_x64!ExGx(struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x51 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c @ 271] 
0b 00000095`2f9fd320 00007ff6`445c012b     rp_win_x64!vpscatterqd(struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x4da [C:\work\codes\rp\src\third_party\beaengine\src\Includes\instr_set\instructions_list.c @ 30224] 
0c 00000095`2f9fd420 00007ff6`445b3286     rp_win_x64!bound_(struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0xcdb [C:\work\codes\rp\src\third_party\beaengine\src\Includes\instr_set\instructions_list.c @ 710] 
0d 00000095`2f9fd8f0 00007ff6`444b3226     rp_win_x64!dec_edi(struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x736 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\instr_set\instructions_list.c @ 2213] 
0e 00000095`2f9fda70 00007ff6`445c4fda     rp_win_x64!AnalyzeOpcode(struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x166 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c @ 222] 

Cheers