The mystery is over, we found the bug.
Your token parser always drops the last char of the token buffer! Writing the current char immediately after TextCheck() should fix this.
Address Hex dump Command
; Jump from Lex+9D
cmd.Lex+AD4 +> +66:8B45 FC MOV AX,SS:[LOCAL.1]
cmd.Lex+AD8 . 834D 10 40 OR DWORD PTR SS:[ARG.3],00000040
cmd.Lex+ADC . 66:8906 MOV DS:[ESI],AX
cmd.Lex+ADF . 8325 9841A74A 00 AND DWORD PTR DS:[AtIsToken],00000000
cmd.Lex+AE6 . 46 INC ESI
cmd.Lex+AE7 . 46 INC ESI
cmd.Lex+AE8 . 8BFE MOV EDI,ESI
cmd.Lex+AEA . 2B7D F8 SUB EDI,SS:[LOCAL.2]
cmd.Lex+AED . D1FF SAR EDI,1
; Grab a char from the text buffer...
cmd.Lex+AEF > 8D45 10 +LEA EAX,[ARG.3]
cmd.Lex+AF2 . 50 PUSH EAX
cmd.Lex+AF3 . 8D45 FC LEA EAX,[LOCAL.1]
cmd.Lex+AF6 . 50 PUSH EAX
cmd.Lex+AF7 . 8975 08 MOV SS:[ARG.1],ESI
cmd.Lex+AFA . E8 6BF7FFFF CALL TextCheck
cmd.Lex+AFF . 3BC3 CMP EAX,EBX
cmd.Lex+B01 .� 74 14 JE SHORT 4AA5283D
; BUG: break if TokBufLength - 1 = CurrentPos BEFORE writing current char!
cmd.Lex+B03 . 8B45 0C MOV EAX,SS:[ARG.2]
cmd.Lex+B06 . 48 DEC EAX
cmd.Lex+B07 . 3BF8 CMP EDI,EAX
cmd.Lex+B09 .� 7D 0C JGE SHORT 4AA5283D
; Any token longer than TokBufLength (8192 bytes) will expose this bug...
cmd.Lex+B0B . 66:8B45 FC MOV AX,SS:[LOCAL.1]
cmd.Lex+B0F . 66:8906 MOV DS:[ESI],AX
cmd.Lex+B12 . 46 INC ESI
cmd.Lex+B13 . 46 INC ESI
cmd.Lex+B14 . 47 INC EDI
cmd.Lex+B15 .� EB D8 +JMP SHORT 4AA52815
cmd.Lex+B17 > 8365 10 BF AND DWORD PTR SS:[ARG.3],FFFFFFBF
cmd.Lex+B1B . 33C0 XOR EAX,EAX
cmd.Lex+B1D . 66:8906 MOV DS:[ESI],AX
cmd.Lex+B20 . 8B45 0C MOV EAX,SS:[ARG.2]
cmd.Lex+B23 . 8D48 FF LEA ECX,[EAX-1]
cmd.Lex+B26 . 3BF9 CMP EDI,ECX
cmd.Lex+B28 .� 7D 05 JGE SHORT 4AA52855
cmd.Lex+B2A . E8 22F7FFFF CALL UnGetByte
cmd.Lex+B2F > 3BF8 CMP EDI,EAX
cmd.Lex+B31 .� 0F8D 81470100 JGE 4AA66FDE
cmd.Lex+B37 > B8 00400000 MOV EAX,4000
cmd.Lex+B3C +.� E9 B3F5FFFF JMP 4AA51E1A
-
Proposed as answer by
MeipoXuMicrosoft contingent staff, Moderator
4 hours 46 minutes ago
Other recent topics
