Mirror
/
upx
mirror of https://github.com/upx/upx.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

invert_pt_dynamic() needs better checking for malformed input 

https://github.com/upx/upx/issues/759
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65510
	modified:   p_lx_elf.cpp
This commit is contained in:
John Reiser 2024-01-10 09:41:12 -08:00 committed by Markus F.X.J. Oberhumer
parent 09c5e38322
commit 3dca1175e5
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/p_lx_elf.cpp
View File

@ -2128,7 +2128,7 @@ PackLinuxElf32::invert_pt_dynamic(Elf32_Dyn const *dynp, u32_t headway)
unsigned const *const chains = &buckets[nbucket]; (void)chains;
unsigned const v_sym = !x_sym ? 0 : get_te32(&dynp0[-1+ x_sym].d_val);
if ((unsigned)file_size <= nbucket/sizeof(*buckets) // FIXME: weak
if ((hashend - buckets) < nbucket
|| !v_sym || (unsigned)file_size <= v_sym
|| ((v_hsh < v_sym) && (v_sym - v_hsh) < sizeof(*buckets)*(2+ nbucket))
) {
@ -2170,6 +2170,7 @@ PackLinuxElf32::invert_pt_dynamic(Elf32_Dyn const *dynp, u32_t headway)
unsigned const *const buckets = (unsigned const *)&bitmask[n_bitmask];
unsigned const *const hasharr = &buckets[n_bucket]; (void)hasharr;
if (!n_bucket || (1u<<31) <= n_bucket /* fie on fuzzers */
|| (gashend - buckets) < n_bucket
|| (void const *)&file_image[file_size] <= (void const *)hasharr) {
char msg[80]; snprintf(msg, sizeof(msg),
"bad n_bucket %#x\n", n_bucket);
@ -8014,7 +8015,7 @@ PackLinuxElf64::invert_pt_dynamic(Elf64_Dyn const *dynp, upx_uint64_t headway)
unsigned const *const chains = &buckets[nbucket]; (void)chains;
unsigned const v_sym = !x_sym ? 0 : get_te64(&dynp0[-1+ x_sym].d_val); // UPX_RSIZE_MAX_MEM
if ((unsigned)file_size <= nbucket/sizeof(*buckets) // FIXME: weak
if ((hashend - buckets) < nbucket
|| !v_sym || (unsigned)file_size <= v_sym
|| ((v_hsh < v_sym) && (v_sym - v_hsh) < sizeof(*buckets)*(2+ nbucket))
) {
@ -8056,6 +8057,7 @@ PackLinuxElf64::invert_pt_dynamic(Elf64_Dyn const *dynp, upx_uint64_t headway)
unsigned const *const buckets = (unsigned const *)&bitmask[n_bitmask];
unsigned const *const hasharr = &buckets[n_bucket]; (void)hasharr;
if (!n_bucket || (1u<<31) <= n_bucket /* fie on fuzzers */
|| (gashend - buckets) < n_bucket
|| (void const *)&file_image[file_size] <= (void const *)hasharr) {
char msg[80]; snprintf(msg, sizeof(msg),
"bad n_bucket %#x\n", n_bucket);