calculate
/
gentoo-overlay
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0fef810eac'
${ noResults }
gentoo-overlay/app-arch/upx/files/upx-4.0.1-CVE-2023-23456.patch

62 lines
2.3 KiB
Raw Blame History

From 1d291ff0db8a056600ebdebb9c3c62d700eaa842 Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Thu, 24 Nov 2022 10:28:03 -0800
Subject: [PATCH] p_tmt: more sanity of input, cleanup MemBuffer usage
https://github.com/upx/upx/issues/632
modified: src/p_tmt.cpp
---
src/p_tmt.cpp | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/src/p_tmt.cpp b/src/p_tmt.cpp
index 7dc72888..592809a9 100644
--- a/src/p_tmt.cpp
+++ b/src/p_tmt.cpp
@@ -173,15 +173,13 @@ int PackTmt::readFileHeader()
fi->seek(adam_offset,SEEK_SET);
fi->readx(&ih,sizeof(ih));
// FIXME: should add more checks for the values in 'ih'
- unsigned const imagesize = get_le32(&ih.imagesize);
- unsigned const entry = get_le32(&ih.entry);
- unsigned const relocsize = get_le32(&ih.relocsize);
- if (!imagesize
- || file_size <= imagesize
- || file_size <= entry
- || file_size <= relocsize) {
- printWarn(getName(), "bad header; imagesize=%#x entry=%#x relocsize=%#x",
- imagesize, entry, relocsize);
+ unsigned const imagesize = ih.imagesize;
+ unsigned const entry = ih.entry;
+ unsigned const relocsize = ih.relocsize;
+ if (imagesize < sizeof(ih) || entry < sizeof(ih) || file_size <= imagesize ||
+ file_size <= entry || file_size <= relocsize) {
+ printWarn(getName(), "bad header; imagesize=%#x entry=%#x relocsize=%#x", imagesize,
+ entry, relocsize);
return 0;
}
@@ -215,15 +213,16 @@ void PackTmt::pack(OutputFile *fo)
ibuf.alloc(usize+rsize+128);
obuf.allocForCompression(usize+rsize+128);
- MemBuffer wrkmem;
- wrkmem.alloc(rsize+EXTRA_INFO); // relocations
+ MemBuffer mb_wrkmem;
+ mb_wrkmem.alloc(rsize + EXTRA_INFO + 4); // relocations + original entry point + relocsize
+ SPAN_S_VAR(upx_byte, wrkmem, mb_wrkmem);
fi->seek(adam_offset+sizeof(ih),SEEK_SET);
fi->readx(ibuf,usize);
fi->readx(wrkmem+4,rsize);
const unsigned overlay = file_size - fi->tell();
- if (find_le32(ibuf,128,get_le32("UPX ")) >= 0)
+ if (find_le32(ibuf, UPX_MIN(128u, usize), get_le32("UPX ")) >= 0)
throwAlreadyPacked();
if (rsize == 0)
throwCantPack("file is already compressed with another packer");
--
2.38.2
Reference in new issue View Git Blame Copy Permalink