From 811f66de840503c376f759c3d911bc678116d755 Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Sat, 4 May 2024 09:05:48 -0700
Subject: [PATCH] Check gnu_shift during unpack

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66273&q=label%3AProj-upx
	modified:   p_lx_elf.cpp
---
 src/p_lx_elf.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
index 9855805c..27f038ff 100644
--- a/src/p_lx_elf.cpp
+++ b/src/p_lx_elf.cpp
@@ -2196,7 +2196,7 @@ PackLinuxElf32::invert_pt_dynamic(Elf32_Dyn const *dynp, u32_t headway)
         //    (037 & (hash_32 >> gnu_shift))
         // but compilers can be stupid.
         if (31 < gnu_shift) {
-            throwCantPack("bad gnu_shift %d", gnu_shift);
+            throwCantPack("bad gnu_shift %#x", gnu_shift);
         }
         // unsigned const *const gashend = &hasharr[n_bucket];
         // minimum, except:
@@ -8121,7 +8121,7 @@ PackLinuxElf64::invert_pt_dynamic(Elf64_Dyn const *dynp, upx_uint64_t headway)
         //    (077 & (hash_32 >> gnu_shift))
         // but compilers can be stupid.
         if (31 < gnu_shift) {
-            throwCantPack("bad gnu_shift %d", gnu_shift);
+            throwCantPack("bad gnu_shift %#x", gnu_shift);
         }
         // unsigned const *const gashend = &hasharr[n_bucket];
         // minimum, except:
@@ -8238,6 +8238,9 @@ Elf32_Sym const *PackLinuxElf32::elf_lookup(char const *name) const
         unsigned const *const bitmask = &gashtab[4];
         unsigned const *const buckets = &bitmask[n_bitmask];
         unsigned const *const hasharr = &buckets[n_bucket];
+        if (31 < gnu_shift) {
+            throwCantPack("bad gnu_shift %#x", gnu_shift);
+        }
         if ((file_size + file_image) <= (void const *)hasharr) {
             char msg[80]; snprintf(msg, sizeof(msg),
                 "bad n_bucket %#x\n", n_bucket);
@@ -8319,6 +8322,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const
         unsigned     const *const buckets = (unsigned const *)&bitmask[n_bitmask];
         unsigned     const *const hasharr = &buckets[n_bucket];
 
+        if (31 < gnu_shift) {
+            throwCantPack("bad gnu_shift %#x", gnu_shift);
+        }
         if ((file_size + file_image) <= (void const *)hasharr) {
             char msg[80]; snprintf(msg, sizeof(msg),
                 "bad n_bucket %#x\n", n_bucket);