Summary
-------
These copies of BPQDLL.DLL, PAC4.EXE and SWITCH.EXE have been patched
to fix a problem which very occasionally occurs when decoding nodes
broadcasts. The problem manifests itself as a GPF in BPQDLL.DLL if the
Windows application using it calls the function which decodes monitored
frames, and a crash in PAC4.EXE and SWITCH.EXE if monitoring is enabled.
The problem occurs very rarely, because, for a nodes broadcast to
trigger it, the broadcast itself must have a very unusual structure!

The problem was discovered as a result of GPFs occurring when using
BPQDLL.DLL with WinPack, also crashes in PAC4.EXE were noted. I would
like to thank G4ZEC, who was lucky, or unlucky, enough to regularly get
the GPFs, for his help and persistence in tracking down this problem.
Once the cause was found, a suitably constructed nodes broadcast would
always crash the programs, but finding the cause was a very prolonged
exercise!

The versions of the programs which have been patched were from the BPQ
4.08a release. Normally I would not consider issuing altered versions of
someone else's software, but my understanding is that the author no
longer actively supports the programs. The patches have no effect other
than to make these programs more robust, and so I feel that, in this
case, releasing the patches is justified.

Please note that the patched version of BPQDLL.DLL is *much* smaller
than the original, because I have stripped some symbolic debugging
information from it. This debugging information was of little use unless
you had a copy of the source code from which the DLL was compiled, and I
doubt if G8BPQ intended leaving it there. Removing it makes the file
much smaller for sending via 7plus.

Installation
------------
Replace your existing versions of these three files with these new
versions.

Please check how many copies of BPQDLL.DLL you have on your PC - you can
very easily finish up with Windows using the wrong copy! There should
only be one copy and it should be in your Windows SYSTEM directory. On a
"normal" Windows installation, with Windows installed in C:\WINDOWS, the
Windows SYSTEM directory is C:\WINDOWS\SYSTEM. If your Windows is in,
say, D:\WIN31, the Windows SYSTEM directory is almost certainly
D:\WIN31\SYSTEM.

(There is sometimes confusion about where to put BPQDLL.DLL because of
the special arrangments that are sometimes needed for BPQCODE.386. There
is nothing special needed for BPQDLL.DLL, it behaves exactly like any
other Windows DLL.)

Technical Details
-----------------
BPQDLL.DLL, PAC4.EXE and SWITCH.EXE use very similar code to interpret
received nodes broadcasts for displaying on the screen. In this code the
CX register is used as a length countdown counter for the frame being
decoded. In some rare situations the length count will go below zero, as
a result of a node transmitting superfluous bytes on the end of a nodes
broadcast. The original code attempted to allow for this using:-

    cmp  cx, 0
    jbe  <address>

However, this is not valid because JBE is an unsigned test and this jump
will in fact only occur if CX = 0. Therefore if CX gets decremented
below zero, another 65,535 or so non-existant bytes of the frame are
decoded, causing a crash in PAC4, a crash in SWITCH.EXE and a GPF in
BPQDLL.DLL.

I have changed it to:-

    cmp  cx, 21
    jl   <address>

The comparison is now made correctly using JL, which is a signed
comparison. Also, the interpretation stops if there are less than 21
bytes left, because anything less than that must be garbage. (This is
because of the particular structure of a nodes broadcast.)

Should anyone want to examine the patch, the patch addresses in the
files are:-

BPQDLL.DLL - 0F66h
PAC4.EXE   - 0EEFh
SWITCH.EXE - 6A16h

Note that these are the absolute offsets in the files, they will not be
the correct addresses when the programs are run in a debugger.

For anyone who has a detailed knowledge of the structure of a nodes
braodcast, here is a sample of a captured broadcast frame which
triggered the problem with the original versions of the programs. In
this example there are four superfluous bytes on the end of the
broadcast.

000000: 9C 9E 88 8A A6 40 60 8E  70 AC 9A 98 40 73 03 CF .....@`.p...@s..
000010: FF 53 43 4F 55 54 37 8E  70 9E B0 A6 40 70 48 44 .SCOUT7.p...@pHD
000020: 4F 57 4E 20 8E 60 A4 A4  8E 40 6F 38 8E 60 A4 A4 OWN .`...@o8.`..
000030: 8E 40 6F 4E 57 37 32 20  20 8E 60 A4 A4 8E 40 6F .@oNW72  .`...@o
000040: 96 00 10 00 00


Roger Barker, G4IDE
October 1997