From dff37665018a0b9d3617f7cb12a558527b2c7811 Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Sat, 27 Jan 2024 13:38:25 -0800
Subject: [PATCH] Detect too-large bit-shift in elf_lookup of DT_GNUHASH

https://github.com/upx/upx/issues/782
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65776
	modified:   p_lx_elf.cpp
---
 src/p_lx_elf.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
index 462c54ad..8549be7f 100644
--- a/src/p_lx_elf.cpp
+++ b/src/p_lx_elf.cpp
@@ -2191,6 +2191,12 @@ PackLinuxElf32::invert_pt_dynamic(Elf32_Dyn const *dynp, u32_t headway)
                 "bad n_bucket %#x\n", n_bucket);
             throwCantPack(msg);
         }
+        // It would be better to detect zeroes shifted into low 5 bits of:
+        //    (037 & (hash_32 >> gnu_shift))
+        // but compilers can be stupid.
+        if (31 < gnu_shift) {
+            throwCantPack("bad gnu_shift %d", gnu_shift);
+        }
         // unsigned const *const gashend = &hasharr[n_bucket];
         // minimum, except:
         // Rust and Android trim unused zeroes from high end of hasharr[]
@@ -8103,6 +8109,12 @@ PackLinuxElf64::invert_pt_dynamic(Elf64_Dyn const *dynp, upx_uint64_t headway)
                 "bad n_bucket %#x\n", n_bucket);
             throwCantPack(msg);
         }
+        // It would be better to detect zeroes shifted into low 6 bits of:
+        //    (077 & (hash_32 >> gnu_shift))
+        // but compilers can be stupid.
+        if (31 < gnu_shift) {
+            throwCantPack("bad gnu_shift %d", gnu_shift);
+        }
         // unsigned const *const gashend = &hasharr[n_bucket];
         // minimum, except:
         // Rust and Android trim unused zeroes from high end of hasharr[]