mirror/upx
1
0
Fork 0
mirror of https://github.com/upx/upx synced 2025-09-28 19:06:07 +08:00
Code Issues Releases Wiki Activity

Check blocksize. CERT-FI 829767

Browse Source 
id:000053,sig:06,src:000000,op:arith8,pos:10440,val:+20
This commit is contained in:
John Reiser 2015-05-09 07:25:25 -07:00
parent 2cb7b56a41
commit c777da263e
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/p_lx_elf.cpp
View File

@ -3014,7 +3014,8 @@ void PackLinuxElf64::unpack(OutputFile *fo)
p_info hbuf; fi->readx(&hbuf, sizeof(hbuf)); p_info hbuf; fi->readx(&hbuf, sizeof(hbuf));
unsigned orig_file_size = get_te32(&hbuf.p_filesize); unsigned orig_file_size = get_te32(&hbuf.p_filesize);
blocksize = get_te32(&hbuf.p_blocksize); blocksize = get_te32(&hbuf.p_blocksize);
if (file_size > (off_t)orig_file_size || blocksize > orig_file_size) if (file_size > (off_t)orig_file_size || blocksize > orig_file_size
|| orig_file_size > fi->st_size())
throwCantUnpack("file header corrupted"); throwCantUnpack("file header corrupted");
ibuf.alloc(blocksize + OVERHEAD); ibuf.alloc(blocksize + OVERHEAD);
@ -3533,7 +3534,8 @@ void PackLinuxElf32::unpack(OutputFile *fo)
p_info hbuf; fi->readx(&hbuf, sizeof(hbuf)); p_info hbuf; fi->readx(&hbuf, sizeof(hbuf));
unsigned orig_file_size = get_te32(&hbuf.p_filesize); unsigned orig_file_size = get_te32(&hbuf.p_filesize);
blocksize = get_te32(&hbuf.p_blocksize); blocksize = get_te32(&hbuf.p_blocksize);
if (file_size > (off_t)orig_file_size || blocksize > orig_file_size) if (file_size > (off_t)orig_file_size || blocksize > orig_file_size
|| orig_file_size > fi->st_size())
throwCantUnpack("file header corrupted"); throwCantUnpack("file header corrupted");
ibuf.alloc(blocksize + OVERHEAD); ibuf.alloc(blocksize + OVERHEAD);
@ -3541,7 +3543,7 @@ void PackLinuxElf32::unpack(OutputFile *fo)
fi->readx(&bhdr, szb_info); fi->readx(&bhdr, szb_info);
ph.u_len = get_te32(&bhdr.sz_unc); ph.u_len = get_te32(&bhdr.sz_unc);
ph.c_len = get_te32(&bhdr.sz_cpr); ph.c_len = get_te32(&bhdr.sz_cpr);
if (ph.c_len > fi->st_size()) if (ph.c_len > fi->st_size() || ph.c_len == 0 || ph.u_len == 0)
throwCantUnpack("file header corrupted"); throwCantUnpack("file header corrupted");
ph.filter_cto = bhdr.b_cto8; ph.filter_cto = bhdr.b_cto8;
bool const is_shlib = (ehdr->e_entry==0) || (ehdr->e_shoff!=0); bool const is_shlib = (ehdr->e_entry==0) || (ehdr->e_shoff!=0);