From cc60f03b2eae1626155d0b6d97a2d9d7529616c7 Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Sat, 25 Jul 2020 08:19:45 -0700
Subject: [PATCH] Check Shdr more

https://github.com/upx/upx/issues/395
	modified:   p_lx_elf.cpp
---
 src/p_lx_elf.cpp | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
index 4b0e1e85..d7ec2cf9 100644
--- a/src/p_lx_elf.cpp
+++ b/src/p_lx_elf.cpp
@@ -261,12 +261,16 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f)
     if (0==e_phnum) throwCantUnpack("0==e_phnum");
     e_phoff = get_te32(&ehdri.e_phoff);
     unsigned const last_Phdr = e_phoff + e_phnum * sizeof(Elf32_Phdr);
-    if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
+    if (last_Phdr < e_phoff  // wrap-around
+    ||  e_phoff != sizeof(Elf32_Ehdr)  // must be contiguous
+    ||  (unsigned long)file_size < last_Phdr) {
         throwCantUnpack("bad e_phoff");
     }
     e_shoff = get_te32(&ehdri.e_shoff);
     unsigned const last_Shdr = e_shoff + e_shnum * sizeof(Elf32_Shdr);
-    if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
+    if (last_Shdr < e_shoff  // wrap-around
+    ||  e_shoff < last_Phdr
+    ||  (unsigned long)file_size < last_Shdr) {
         if (opt->cmd == CMD_COMPRESS) {
             throwCantUnpack("bad e_shoff");
         }
@@ -759,12 +763,16 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f)
     if (0==e_phnum) throwCantUnpack("0==e_phnum");
     e_phoff = get_te64(&ehdri.e_phoff);
     upx_uint64_t const last_Phdr = e_phoff + e_phnum * sizeof(Elf64_Phdr);
-    if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) {
+    if (last_Phdr < e_phoff  // wrap-around
+    ||  e_phoff != sizeof(Elf64_Ehdr)  // must be contiguous
+    ||  (unsigned long)file_size < last_Phdr) {
         throwCantUnpack("bad e_phoff");
     }
     e_shoff = get_te64(&ehdri.e_shoff);
     upx_uint64_t const last_Shdr = e_shoff + e_shnum * sizeof(Elf64_Shdr);
-    if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) {
+    if (last_Shdr < e_shoff  // wrap-around
+    ||  e_shoff < last_Phdr
+    ||  (unsigned long)file_size < last_Shdr) {
         if (opt->cmd == CMD_COMPRESS) {
             throwCantUnpack("bad e_shoff");
         }