From 1d291ff0db8a056600ebdebb9c3c62d700eaa842 Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Thu, 24 Nov 2022 10:28:03 -0800
Subject: [PATCH] p_tmt: more sanity of input, cleanup MemBuffer usage

https://github.com/upx/upx/issues/632
	modified:   src/p_tmt.cpp
---
 src/p_tmt.cpp | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/src/p_tmt.cpp b/src/p_tmt.cpp
index 7dc72888..592809a9 100644
--- a/src/p_tmt.cpp
+++ b/src/p_tmt.cpp
@@ -173,15 +173,13 @@ int PackTmt::readFileHeader()
     fi->seek(adam_offset,SEEK_SET);
     fi->readx(&ih,sizeof(ih));
     // FIXME: should add more checks for the values in 'ih'
-    unsigned const imagesize = get_le32(&ih.imagesize);
-    unsigned const entry     = get_le32(&ih.entry);
-    unsigned const relocsize = get_le32(&ih.relocsize);
-    if (!imagesize
-    ||  file_size <= imagesize
-    ||  file_size <= entry
-    ||  file_size <= relocsize) {
-        printWarn(getName(), "bad header; imagesize=%#x  entry=%#x  relocsize=%#x",
-            imagesize, entry, relocsize);
+    unsigned const imagesize = ih.imagesize;
+    unsigned const entry = ih.entry;
+    unsigned const relocsize = ih.relocsize;
+    if (imagesize < sizeof(ih) || entry < sizeof(ih) || file_size <= imagesize ||
+        file_size <= entry || file_size <= relocsize) {
+        printWarn(getName(), "bad header; imagesize=%#x  entry=%#x  relocsize=%#x", imagesize,
+                  entry, relocsize);
         return 0;
     }
 
@@ -215,15 +213,16 @@ void PackTmt::pack(OutputFile *fo)
     ibuf.alloc(usize+rsize+128);
     obuf.allocForCompression(usize+rsize+128);
 
-    MemBuffer wrkmem;
-    wrkmem.alloc(rsize+EXTRA_INFO); // relocations
+    MemBuffer mb_wrkmem;
+    mb_wrkmem.alloc(rsize + EXTRA_INFO + 4); // relocations + original entry point + relocsize
+    SPAN_S_VAR(upx_byte, wrkmem, mb_wrkmem);
 
     fi->seek(adam_offset+sizeof(ih),SEEK_SET);
     fi->readx(ibuf,usize);
     fi->readx(wrkmem+4,rsize);
     const unsigned overlay = file_size - fi->tell();
 
-    if (find_le32(ibuf,128,get_le32("UPX ")) >= 0)
+    if (find_le32(ibuf, UPX_MIN(128u, usize), get_le32("UPX ")) >= 0)
         throwAlreadyPacked();
     if (rsize == 0)
         throwCantPack("file is already compressed with another packer");
-- 
2.38.2