Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to the forum
Board view  Mix view

FreeDOS EDIT 0.9a (0.9.1.0) - Interrupt vector trashing bug? (Users)

posted by Arjay(R), 26.10.2013, 18:40
(edited by Arjay on 26.10.2013, 23:42)

Whilst testing with IVTUTIL, I appear to have uncovered a fairly critical bug in FreeDOS's EDIT 0.9a and 0.7 (earlier versions also?). Under at least one scenario FreeDOS's EDIT.EXE appears to trash at least 2 fairly critcal Interrupt vectors: Int 01h (SINGLE STEP) + Int 02h (NON-MASKABLE INTERRUPT).

I suspect this may possibly be related to FreeDOS bug #2 reported by DOS386 back when edit 0.9a first came out, #2 FreeDOS EDIT 0.9 BUG - mouse cursor vanishes on some hardware and discussed on this forum.

Due to my time constraints I would appreciate it if others could also take a look at this? I will raise a FD bug report and point it to this discussion.

Example steps to review the bug:
1) Download and extract IVTUTIL.EXE
2) c:\edittest>IVTUTIL MEM B4EDIT.TXT
3) c:\edittest>IVTUTIL MEM B4EDIT.DAT
4) c:\edittest>EDIT
5) Within EDIT select "File", "New"
6) Within EDIT select "File", "Exit"
7) c:\edittest>IVTUTIl MEM AFTREDIT.TXT
8) c:\edittest>IVTUTIl MEM AFTREDIT.DAT
9) Compare the contents of B4EDIT.TXT and AFTREDIT.TXT (text file)
10) Compare the contents of B4EDIT.DAT and AFTREDIT.DAT (binary data)

There should NOT be any differences if EDIT.EXE is correctly restoring Interrupts.

e.g. For me under under DOSBox:

B4EDIT.TXT
INT    VECTOR    POINTS TO
---    ------    ---------
$00   F000:1060
$01   0070:0008
$02   0070:0008
$03   0070:0008


vs

AFTREDIT.TXT
INT    VECTOR    POINTS TO
---    ------    ---------
$00   F000:1060
$01   6465:6C74
$02   0070:0000
$03   0070:0008


If you review the binary data, e.g. AFTREDIT.DAT
-d         [interupt00][interupt01][interupt02][interupt03]
xxxx:0100  60 10 00 F0 74 6C 65 64-00 00 70 00 08 00 70 00   `...tled..p...p.


Interrupt 01h is set to 6465:6C74 which in binary is "tled" presumably from the default window name of "Untitled". It looks like EDIT.EXE has a pointer with a null segment causing the overwriting of the Interrupt Vector Table.


[EDIT]Link to FreeDOS bug report #112[/EDIT]

[EDIT2]I have now confirmed this further. Firstly as below, via debug and selecting create "new file" whilst in EDIT as per steps 5+6 above:

C:\EDITTEST>debug edit.exe
-d 0:0,f
0000:0000  68 10 A7 00 8B 01 70 00-16 00 BE 03 8B 01 70 00   h.....p.......p.
-g
FreeDOS EDIT 0.9a (0.9.1.0)
(based on FreeDOS DFlat+ 1.0 application framework)

Program terminated normally
-d 0:0,f
0000:0000  68 10 A7 00 74 6C 65 64-00 00 BE 03 B1 13 8F 0F   h...tled........
-q
C:\EDITTEST>


Reviewing the source for EDIT.C I noted the following static value:
static char Untitled[] = "Untitled";

I copied and patched the EXE at offset 276BD changing the bytes 74,6C,65,64 / "tled" to 54 45 53 54 / "TEST" and performed the same steps above and sure enough the word "TEST" appeared in the interrupt vector table....

C:\EDITTEST>debug edit2.exe
-d 0:0,f
0000:0000  68 10 A7 00 8B 01 70 00-00 00 BE 03 8B 01 70 00   h.....p.......p.
-g
FreeDOS EDIT 0.9a (0.9.1.0)
(based on FreeDOS DFlat+ 1.0 application framework)

Program terminated normally
-d 0:0,f
0000:0000  68 10 A7 00 54 45 53 54-00 00 BE 03 B1 13 8F 0F   h...TEST........
-q
C:\EDITTEST>

 

Complete thread:

Back to the forum
Board view  Mix view
15109 Postings in 1359 Threads, 247 registered users, 12 users online (0 registered, 12 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum