From 9c5d0ff2ff1d3546a5c113d2e2ae54f936a3e639 Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Wed, 8 Jun 2011 10:06:42 -0700
Subject: [PATCH] PeFile::processRelocs() defends itself against corrupt PE
 header

---
 src/pefile.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/pefile.cpp b/src/pefile.cpp
index 4f42e6f8..f9b0fdf5 100644
--- a/src/pefile.cpp
+++ b/src/pefile.cpp
@@ -439,6 +439,13 @@ void PeFile::processRelocs() // pass1
                         orelocs);
     delete [] fix[3];
 
+    // Malware that hides behind UPX often has PE header info that is
+    // deliberately corrupt.  Sometimes it is even tuned to cause us trouble!
+    // Use an extra check to avoid AccessViolation (SIGSEGV) when appending
+    // the relocs into one array.
+    if ((rnum * 4 + 1024) < (sorelocs + 4*(2 + xcounts[2] + xcounts[1])))
+        throwCantUnpack("Invalid relocs");
+
     // append relocs type "LOW" then "HIGH"
     for (ic = 2; ic ; ic--)
     {