From 8d6c5942408900f782d5bcd6ac4f622356eb119f Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Sat, 9 May 2015 07:05:17 -0700
Subject: [PATCH] Check ph.c_len; CERT-FI 829767
 id:000008,sig:06,src:000000,op:flip1,pos:205

---
 src/p_lx_elf.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
index faa912ba..7052a7c1 100644
--- a/src/p_lx_elf.cpp
+++ b/src/p_lx_elf.cpp
@@ -3022,6 +3022,9 @@ void PackLinuxElf64::unpack(OutputFile *fo)
     fi->readx(&bhdr, szb_info);
     ph.u_len = get_te32(&bhdr.sz_unc);
     ph.c_len = get_te32(&bhdr.sz_cpr);
+    if (ph.c_len > fi->st_size())
+        throwCantUnpack("file header corrupted");
+
     ph.filter_cto = bhdr.b_cto8;
 
     // Uncompress Ehdr and Phdrs.
@@ -3538,6 +3541,8 @@ void PackLinuxElf32::unpack(OutputFile *fo)
     fi->readx(&bhdr, szb_info);
     ph.u_len = get_te32(&bhdr.sz_unc);
     ph.c_len = get_te32(&bhdr.sz_cpr);
+    if (ph.c_len > fi->st_size())
+        throwCantUnpack("file header corrupted");
     ph.filter_cto = bhdr.b_cto8;
     bool const is_shlib = (ehdr->e_entry==0) || (ehdr->e_shoff!=0);