From 58c6d19f7cf20fa2cff122549510c855755b66bf Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Wed, 15 Apr 2020 14:12:06 -0700
Subject: [PATCH] unpack() checks PT_DYNAMIC.p_filesz

https://github.com/upx/upx/issues/367
	modified:   p_lx_elf.cpp
---
 src/p_lx_elf.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
index 4101ebaf..9f9cd4f0 100644
--- a/src/p_lx_elf.cpp
+++ b/src/p_lx_elf.cpp
@@ -4667,6 +4667,11 @@ void PackLinuxElf64::unpack(OutputFile *fo)
                     upx_uint64_t dt_relasz(0), dt_rela(0);
                     upx_uint64_t const dyn_len = get_te64(&udynhdr->p_filesz);
                     upx_uint64_t const dyn_off = get_te64(&udynhdr->p_offset);
+                    if ((unsigned long)file_size < (dyn_len + dyn_off)) {
+                        char msg[50]; snprintf(msg, sizeof(msg),
+                                "bad PT_DYNAMIC .p_filesz %#lx", (long unsigned)dyn_len);
+                        throwCantUnpack(msg);
+                    }
                     if (dyn_off < load_off) {
                         continue;  // Oops.  Not really is_shlib ?  [built by 'rust' ?]
                     }
@@ -5627,6 +5632,11 @@ void PackLinuxElf32::unpack(OutputFile *fo)
                     unsigned dt_relsz(0), dt_rel(0);
                     unsigned const dyn_len = get_te32(&udynhdr->p_filesz);
                     unsigned const dyn_off = get_te32(&udynhdr->p_offset);
+                    if ((unsigned long)file_size < (dyn_len + dyn_off)) {
+                        char msg[50]; snprintf(msg, sizeof(msg),
+                                "bad PT_DYNAMIC .p_filesz %#x", dyn_len);
+                        throwCantUnpack(msg);
+                    }
                     if (dyn_off < load_off) {
                         continue;  // Oops.  Not really is_shlib ?  [built by 'rust' ?]
                     }