jory/upx
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Fuzz nuisance: wild p_info for de-compression

Browse Source 
https://issues.oss-fuzz.com/u/1/issues/383200048
	modified:   p_lx_elf.cpp
This commit is contained in:
John Reiser 2025-02-17 08:26:17 -08:00 committed by Markus F.X.J. Oberhumer
parent c0bf7bf9ab
commit b8b64a3e0f
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/p_lx_elf.cpp
View File

@ -7606,6 +7606,8 @@ void PackLinuxElf64::unpack(OutputFile *fo)
unsigned orig_file_size = get_te32(&hbuf.p_filesize); unsigned orig_file_size = get_te32(&hbuf.p_filesize);
blocksize = get_te32(&hbuf.p_blocksize); blocksize = get_te32(&hbuf.p_blocksize);
if ((u32_t)file_size > orig_file_size || blocksize > orig_file_size if ((u32_t)file_size > orig_file_size || blocksize > orig_file_size
|| (orig_file_size >> 8) > (u32_t)file_size // heuristic anti-fuzz
|| (blocksize >> 8) > (u32_t)file_size
|| !mem_size_valid(1, blocksize, OVERHEAD)) || !mem_size_valid(1, blocksize, OVERHEAD))
throwCantUnpack("p_info corrupted"); throwCantUnpack("p_info corrupted");
@ -8831,6 +8833,8 @@ void PackLinuxElf32::unpack(OutputFile *fo)
unsigned orig_file_size = get_te32(&hbuf.p_filesize); unsigned orig_file_size = get_te32(&hbuf.p_filesize);
blocksize = get_te32(&hbuf.p_blocksize); blocksize = get_te32(&hbuf.p_blocksize);
if ((u32_t)file_size > orig_file_size || blocksize > orig_file_size if ((u32_t)file_size > orig_file_size || blocksize > orig_file_size
|| (orig_file_size >> 8) > (u32_t)file_size // heuristic anti-fuzz
|| (blocksize >> 8) > (u32_t)file_size
|| !mem_size_valid(1, blocksize, OVERHEAD)) || !mem_size_valid(1, blocksize, OVERHEAD))
throwCantUnpack("p_info corrupted"); throwCantUnpack("p_info corrupted");