From b12a57aa44eb980b7247df34cb7f059769ca3cdc Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Thu, 25 May 2000 04:56:02 +0000
Subject: [PATCH] Defend against SIGSEGV due to decompressor overrun of output.

committer: jreiser <jreiser> 959230562 +0000
---
 src/stub/l_lx_exec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/stub/l_lx_exec.c b/src/stub/l_lx_exec.c
index 16dcdaf1..424dd065 100644
--- a/src/stub/l_lx_exec.c
+++ b/src/stub/l_lx_exec.c
@@ -165,6 +165,10 @@ void upx_main(
     } malloc_args = {
         0, 0, PROT_READ | PROT_WRITE, MAP_SHARED, 0, 0
     };
+    static struct MallocArgs scratch_page = {
+        0, -PAGE_MASK, PROT_READ | PROT_WRITE,
+            MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, 0, 0
+    };
 
     //
     // ----- Step 0: set /proc/self using /proc/<pid> -----
@@ -265,6 +269,10 @@ void upx_main(
     if ((unsigned long) buf >= (unsigned long) -4095)
         goto error;
 
+    // Decompressor can overrun the output by 3 bytes.
+    // Defend against SIGSEGV by using a scratch page.
+    scratch_page.ma_addr = buf + (PAGE_MASK & (header.p_filesize + ~PAGE_MASK));
+    mmap((int *)&scratch_page);
 
     //
     // ----- Step 4: decompress blocks -----