More bounds checking for DT_INIT (etc.) in shlib

#364 modified: p_lx_elf.cpp
upx · Apr 14, 2020 · 294ed1b · 294ed1b
1 parent cfa7d1e
commit 294ed1b
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
@@ -4698,7 +4698,14 @@ void PackLinuxElf64::unpack(OutputFile *fo)
                                     dyn->d_val = 0;
                                 }
                             }
-                            else { // DT_INIT_ARRAY, DT_PREINIT_ARRAY
+                            else if (Elf64_Dyn::DT_INIT_ARRAY    == tag
+                            ||       Elf64_Dyn::DT_PREINIT_ARRAY == tag) {
+                                if (val < load_va || (long unsigned)file_size < (long unsigned)val) {
+                                    char msg[50]; snprintf(msg, sizeof(msg),
+                                            "Bad Dynamic tag %#lx %#lx",
+                                            (long unsigned)tag, (long unsigned)val);
+                                    throwCantUnpack(msg);
+                                }
                                 set_te64(&ibuf[val - load_va], old_dtinit
                                     + (is_asl ? asl_delta : 0));  // counter-act unRel64
                             }
@@ -5651,7 +5658,14 @@ void PackLinuxElf32::unpack(OutputFile *fo)
                                     dyn->d_val = 0;
                                 }
                             }
-                            else { // DT_INIT_ARRAY, DT_PREINIT_ARRAY
+                            else if (Elf32_Dyn::DT_INIT_ARRAY    == tag
+                            ||       Elf32_Dyn::DT_PREINIT_ARRAY == tag) {
+                                if (val < load_va || (unsigned)file_size < (unsigned)val) {
+                                    char msg[50]; snprintf(msg, sizeof(msg),
+                                            "Bad Dynamic tag %#x %#x",
+                                            (unsigned)tag, (unsigned)val);
+                                    throwCantUnpack(msg);
+                                }
                                 set_te32(&ibuf[val - load_va], old_dtinit
                                     + (is_asl ? asl_delta : 0));  // counter-act unRel32
                             }