Master/upx
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Beware fuzzer setting compressed size too small

Browse Source 
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65519
https://github.com/upx/upx/issues/761
	modified:   p_unix.cpp
This commit is contained in:
John Reiser
2024-01-10 11:20:47 -08:00
committed by Markus F.X.J. Oberhumer
parent 553fc9b1fb
commit f310ce376e
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/p_unix.cpp
+7 -1
View File
@@ -597,6 +597,8 @@ int PackUnix::find_overlay_offset(MemBuffer const &buf)
// See notes there. // See notes there.
**************************************************************************/ **************************************************************************/
static unsigned umax(unsigned a, unsigned b) {return (a < b) ? b : a;}
void PackUnix::unpack(OutputFile *fo) void PackUnix::unpack(OutputFile *fo)
{ {
b_info bhdr; b_info bhdr;
@@ -658,7 +660,11 @@ void PackUnix::unpack(OutputFile *fo)
if (sz_cpr > sz_unc || sz_unc > blocksize) if (sz_cpr > sz_unc || sz_unc > blocksize)
throwCompressedDataViolation(); throwCompressedDataViolation();
i = blocksize + OVERHEAD - sz_cpr; // Compressed output has control bytes such as the 32-bit
// first flag bits of NRV_d32, the 5-byte info of LZMA, etc.
// Fuzzers may try sz_cpr shorter than possible.
// Use some OVERHEAD for safety.
i = blocksize + OVERHEAD - umax(12, sz_cpr);
if (i < 0) if (i < 0)
throwCantUnpack("corrupt b_info"); throwCantUnpack("corrupt b_info");
fi->readx(buf+i, sz_cpr); fi->readx(buf+i, sz_cpr);