Try not to run off the end of selfrel_fixups.

https://github.com/upx/upx/issues/455
	modified:   p_wcle.cpp
	modified:   packer.cpp

src/p_wcle.cpp

@@ -582,7 +582,7 @@ void PackWcle::decodeFixups()
     iimage.dealloc();
 
     MemBuffer tmpbuf;
-    unsigned fixupn = unoptimizeReloc32(&p,oimage,&tmpbuf,1);
+    unsigned const fixupn = unoptimizeReloc32(&p,oimage,&tmpbuf,1);
 
     MemBuffer wrkmem(8*fixupn+8);
     unsigned ic,jc,o,r;
@@ -603,8 +603,17 @@ void PackWcle::decodeFixups()
     const upx_byte *selector_fixups = p;
     const upx_byte *selfrel_fixups = p;
 
-    while (*selfrel_fixups != 0xC3)
+    while (*selfrel_fixups != 0xC3) {
+        // FIXME: Heuristic defense for running off the end.
+        // End is unknown, but all-zero definitely is bad.
+        static unsigned char const blank[9] = {0};
+        if (!memcmp(blank, selfrel_fixups, sizeof(blank))) {
+            char msg[50]; snprintf(msg, sizeof(msg),
+                "bad selfrel_fixups +%#lx", selfrel_fixups - p);
+            throwCantPack(msg);
+        }
         selfrel_fixups += 9;
+    }
     selfrel_fixups++;
     unsigned selectlen = ptr_diff(selfrel_fixups, selector_fixups)/9;
 

src/packer.cpp

@@ -876,7 +876,7 @@ unsigned Packer::unoptimizeReloc(upx_byte **in, upx_byte *image, MemBuffer *out,
     upx_byte const *in_end = p;
     // fprintf(stderr,"relocnum=%x\n",relocn);
     out->alloc(4 * relocn + 4); // one extra data
-    LE32 *outp = (LE32 *) (unsigned char *) *out;
+    LE32 *const outp = (LE32 *) (unsigned char *) *out;
     LE32 *relocs = outp;
     unsigned jc = (unsigned) -4;
     for (p = *in; p < in_end; p++) {