more checking of PackUnix::p_info at unpack

https://github.com/upx/upx/issues/781 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65864 modified: p_unix.cpp
2024-01-27 13:06:59 -08:00 · 2024-01-27 13:06:59 -08:00 · 2767ec54e1
commit 2767ec54e1
parent ac72c02793
1 changed files with 6 additions and 1 deletions
--- a/src/p_unix.cpp
+++ b/src/p_unix.cpp
@ -619,9 +619,14 @@ void PackUnix::unpack(OutputFile *fo)
        fi->readx(&hbuf, sizeof(hbuf));
        orig_file_size = get_te32(&hbuf.p_filesize);
        blocksize = get_te32(&hbuf.p_blocksize);
+        off_t max_inflated = file_size * 273;  // zlib limit (256 + 16 + 1)

-        if (file_size > (off_t)orig_file_size || blocksize > orig_file_size)
+        if (max_inflated < orig_file_size
+        ||  max_inflated < blocksize
+        ||  file_size > (off_t)orig_file_size
+        ||  blocksize > orig_file_size) {
            throwCantUnpack("file header corrupted");
+        }
    }
    else
    {