From 284adb203f51b1bdcc74bccd16470d466a2720fd Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Fri, 24 Dec 2021 15:52:16 -0800
Subject: [PATCH] Better checking of DT_HASH.nbuckets

https://github.com/upx/upx/issues/507
	modified:   p_lx_elf.cpp
---
 src/p_lx_elf.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
index e80ec077..a3efd18d 100644
--- a/src/p_lx_elf.cpp
+++ b/src/p_lx_elf.cpp
@@ -1688,7 +1688,8 @@ PackLinuxElf32::invert_pt_dynamic(Elf32_Dyn const *dynp, unsigned headway)
         unsigned const *const chains = &buckets[nbucket]; (void)chains;
 
         unsigned const v_sym = !x_sym ? 0 : get_te32(&dynp0[-1+ x_sym].d_val);
-        if ((nbucket>>31) || !v_sym || (unsigned)file_size <= v_sym
+        if ((unsigned)file_size <= nbucket/sizeof(*buckets)  // FIXME: weak
+        || !v_sym || (unsigned)file_size <= v_sym
         || ((v_hsh < v_sym) && (v_sym - v_hsh) < sizeof(*buckets)*(2+ nbucket))
         ) {
             char msg[80]; snprintf(msg, sizeof(msg),
@@ -5556,7 +5557,8 @@ PackLinuxElf64::invert_pt_dynamic(Elf64_Dyn const *dynp, upx_uint64_t headway)
         unsigned const *const chains = &buckets[nbucket]; (void)chains;
 
         unsigned const v_sym = !x_sym ? 0 : get_te32(&dynp0[-1+ x_sym].d_val);
-        if ((nbucket>>31) || !v_sym || (unsigned)file_size <= v_sym
+        if ((unsigned)file_size <= nbucket/sizeof(*buckets)  // FIXME: weak
+        || !v_sym || (unsigned)file_size <= v_sym
         || ((v_hsh < v_sym) && (v_sym - v_hsh) < sizeof(*buckets)*(2+ nbucket))
         ) {
             char msg[80]; snprintf(msg, sizeof(msg),