From 680ce0a7af4c6bc09959f8f14e213de91ceae4a4 Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Mon, 26 Feb 2024 14:32:02 -0800
Subject: [PATCH] find_dt_ndx defends against overrun

https://github.com/upx/upx/issues/790
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66344&q=label%3AProj-upx
	modified:   p_lx_elf.cpp
---
 src/p_lx_elf.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
index e65ba036..f8009e4f 100644
--- a/src/p_lx_elf.cpp
+++ b/src/p_lx_elf.cpp
@@ -2028,7 +2028,11 @@ PackLinuxElf32::sort_DT32_offsets(Elf32_Dyn const *const dynp0)
 unsigned PackLinuxElf32::find_dt_ndx(unsigned rva)
 {
     unsigned *const dto = (unsigned *)mb_dt_offsets.getVoidPtr();
+    unsigned *const dto_end = (unsigned *)(mb_dt_offsets.getSize() + dto);
     for (unsigned j = 0; dto[j]; ++j) { // linear search of short table
+        if (dto_end <= &dto[j]) { // defensive
+            return ~0u;
+        }
         if (rva == dto[j]) {
             return j;
         }
@@ -7941,7 +7945,11 @@ PackLinuxElf64::sort_DT64_offsets(Elf64_Dyn const *const dynp0)
 unsigned PackLinuxElf64::find_dt_ndx(u64_t rva)
 {
     unsigned *const dto = (unsigned *)mb_dt_offsets.getVoidPtr();
+    unsigned *const dto_end = (unsigned *)(mb_dt_offsets.getSize() + dto);
     for (unsigned j = 0; dto[j]; ++j) { // linear search of short table
+        if (dto_end <= &dto[j]) { // defensive
+            return ~0u;
+        }
         if (rva == dto[j]) {
             return j;
         }