From bde670f9c8f1674af919e459d72bf1f89dabe91d Mon Sep 17 00:00:00 2001
From: Gwyn Ciesla <gwync@protonmail.com>
Date: Aug 01 2019 13:52:10 +0000
Subject: Upstream patches for CVE-2019-14295 and CVE-2019-14296.


---

diff --git a/276b748aa6021c38a2dc699153f61b10e76bc3d2.patch b/276b748aa6021c38a2dc699153f61b10e76bc3d2.patch
new file mode 100644
index 0000000..b1195a7
--- /dev/null
+++ b/276b748aa6021c38a2dc699153f61b10e76bc3d2.patch
@@ -0,0 +1,23 @@
+From 276b748aa6021c38a2dc699153f61b10e76bc3d2 Mon Sep 17 00:00:00 2001
+From: John Reiser <jreiser@BitWagon.com>
+Date: Sun, 21 Jul 2019 07:40:21 -0700
+Subject: [PATCH] Ignore malformed ElfXX_Shdr in search for .text or .note
+
+https://github.com/upx/upx/issues/287
+	modified:   p_vmlinx.cpp
+---
+ src/p_vmlinx.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/p_vmlinx.cpp b/src/p_vmlinx.cpp
+index 65c16c84..3fc26bbe 100644
+--- a/src/p_vmlinx.cpp
++++ b/src/p_vmlinx.cpp
+@@ -577,6 +577,7 @@ int PackVmlinuxBase<T>::canUnpack()
+     Shdr *p;
+     for (p= shdri, j= ehdri.e_shnum; --j>=0; ++p) {
+         if ((unsigned)file_size < (p->sh_size + p->sh_offset)
++        || (5+ p->sh_name) < p->sh_name  // wrap: ignore malformed
+         ||  shstrsec->sh_size < (5+ p->sh_name) ) {
+             continue;
+         }
diff --git a/58b122d97da1e02dfec24b10b6b8f56218b5622c.patch b/58b122d97da1e02dfec24b10b6b8f56218b5622c.patch
new file mode 100644
index 0000000..276e657
--- /dev/null
+++ b/58b122d97da1e02dfec24b10b6b8f56218b5622c.patch
@@ -0,0 +1,30 @@
+From 58b122d97da1e02dfec24b10b6b8f56218b5622c Mon Sep 17 00:00:00 2001
+From: John Reiser <jreiser@BitWagon.com>
+Date: Sun, 21 Jul 2019 10:48:50 -0700
+Subject: [PATCH] Better checking for malformed input
+
+https://github.com/upx/upx/issues
+	modified:   p_vmlinx.cpp
+---
+ src/p_vmlinx.cpp | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/p_vmlinx.cpp b/src/p_vmlinx.cpp
+index 3fc26bbe..6d380195 100644
+--- a/src/p_vmlinx.cpp
++++ b/src/p_vmlinx.cpp
+@@ -111,9 +111,11 @@ typename T::Shdr const *PackVmlinuxBase<T>::getElfSections()
+     int j;
+     for (p = shdri, j= ehdri.e_shnum; --j>=0; ++p) {
+         if (Shdr::SHT_STRTAB==p->sh_type
+-        &&  (p->sh_size + p->sh_offset) <= (unsigned long)file_size
+-        &&       p->sh_name  <  p->sh_size
+-        &&  (10+ p->sh_name) <= p->sh_size  // 1+ strlen(".shstrtab")
++        &&  p->sh_offset  <   (unsigned long)file_size
++        &&  p->sh_size    <= ((unsigned long)file_size - p->sh_offset)
++        &&  p->sh_name    <   (unsigned long)file_size
++        &&  10            <= ((unsigned long)file_size - p->sh_name)
++                // 10 == (1+ strlen(".shstrtab"))
+         ) {
+             delete [] shstrtab;
+             shstrtab = new char[1+ p->sh_size];
diff --git a/6a53c0b3d499d62346a5c51034db543a4ef78ea3.patch b/6a53c0b3d499d62346a5c51034db543a4ef78ea3.patch
new file mode 100644
index 0000000..2f4a86a
--- /dev/null
+++ b/6a53c0b3d499d62346a5c51034db543a4ef78ea3.patch
@@ -0,0 +1,24 @@
+From 6a53c0b3d499d62346a5c51034db543a4ef78ea3 Mon Sep 17 00:00:00 2001
+From: John Reiser <jreiser@BitWagon.com>
+Date: Sun, 21 Jul 2019 10:51:59 -0700
+Subject: [PATCH] [Append to previous commit message.]
+
+https://github.com/upx/upx/issues/286
+	modified:   p_vmlinx.cpp
+---
+ src/p_vmlinx.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/p_vmlinx.cpp b/src/p_vmlinx.cpp
+index 6d380195..56c4fd18 100644
+--- a/src/p_vmlinx.cpp
++++ b/src/p_vmlinx.cpp
+@@ -115,7 +115,7 @@ typename T::Shdr const *PackVmlinuxBase<T>::getElfSections()
+         &&  p->sh_size    <= ((unsigned long)file_size - p->sh_offset)
+         &&  p->sh_name    <   (unsigned long)file_size
+         &&  10            <= ((unsigned long)file_size - p->sh_name)
+-                // 10 == (1+ strlen(".shstrtab"))
++            // 10 == (1+ strlen(".shstrtab"))
+         ) {
+             delete [] shstrtab;
+             shstrtab = new char[1+ p->sh_size];
diff --git a/ef336dbcc6dc8344482f8cf6c909ae96c3286317.patch b/ef336dbcc6dc8344482f8cf6c909ae96c3286317.patch
deleted file mode 100644
index ef34336..0000000
--- a/ef336dbcc6dc8344482f8cf6c909ae96c3286317.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From ef336dbcc6dc8344482f8cf6c909ae96c3286317 Mon Sep 17 00:00:00 2001
-From: John Reiser <jreiser@BitWagon.com>
-Date: Mon, 2 Oct 2017 21:47:40 -0700
-Subject: [PATCH] Protect against bad crafted input.
-
-https://github.com/upx/upx/issues/128
-	modified:   p_lx_elf.cpp
----
- src/p_lx_elf.cpp | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
-index e6336425..9272cf9b 100644
---- a/src/p_lx_elf.cpp
-+++ b/src/p_lx_elf.cpp
-@@ -245,8 +245,15 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f)
-         sz_phdrs = 0;
-         return;
-     }
-+    if (0==e_phnum) throwCantUnpack("0==e_phnum");
-     e_phoff = get_te32(&ehdri.e_phoff);
-+    if ((unsigned long)file_size < ((unsigned long)e_phoff + e_phnum * sizeof(Elf32_Phdr))) {
-+        throwCantUnpack("bad e_phoff");
-+    }
-     e_shoff = get_te32(&ehdri.e_shoff);
-+    if ((unsigned long)file_size < ((unsigned long)e_shoff + e_shnum * sizeof(Elf32_Shdr))) {
-+        throwCantUnpack("bad e_shoff");
-+    }
-     sz_phdrs = e_phnum * e_phentsize;
- 
-     if (f && Elf32_Ehdr::ET_DYN!=e_type) {
-@@ -661,8 +668,15 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f)
-         sz_phdrs = 0;
-         return;
-     }
-+    if (0==e_phnum) throwCantUnpack("0==e_phnum");
-     e_phoff = get_te64(&ehdri.e_phoff);
-+    if ((unsigned long)file_size < (e_phoff + e_phnum * sizeof(Elf64_Phdr))) {
-+        throwCantUnpack("bad e_phoff");
-+    }
-     e_shoff = get_te64(&ehdri.e_shoff);
-+    if ((unsigned long)file_size < (e_shoff + e_shnum * sizeof(Elf64_Shdr))) {
-+        throwCantUnpack("bad e_shoff");
-+    }
-     sz_phdrs = e_phnum * e_phentsize;
- 
-     if (f && Elf64_Ehdr::ET_DYN!=e_type) {
-@@ -3490,6 +3504,9 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft)
- 
- void PackLinuxElf64::unpack(OutputFile *fo)
- {
-+    if (e_phoff != sizeof(Elf64_Ehdr)) {// Phdrs not contiguous with Ehdr
-+        throwCantUnpack("bad e_phoff");
-+    }
-     unsigned const c_phnum = get_te16(&ehdri.e_phnum);
-     upx_uint64_t old_data_off = 0;
-     upx_uint64_t old_data_len = 0;
-@@ -4110,6 +4127,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const
- 
- void PackLinuxElf32::unpack(OutputFile *fo)
- {
-+    if (e_phoff != sizeof(Elf32_Ehdr)) {// Phdrs not contiguous with Ehdr
-+        throwCantUnpack("bad e_phoff");
-+    }
-     unsigned const c_phnum = get_te16(&ehdri.e_phnum);
-     unsigned old_data_off = 0;
-     unsigned old_data_len = 0;
diff --git a/upx.spec b/upx.spec
index 3d4aeda..ade1158 100644
--- a/upx.spec
+++ b/upx.spec
@@ -1,6 +1,6 @@
 Name:           upx
 Version:        3.95
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Ultimate Packer for eXecutables
 
 License:        GPLv2+ and Public Domain
@@ -9,6 +9,10 @@ Source0:        http://upx.sourceforge.net/download/%{name}-%{version}.tar.gz
 Source1:        https://github.com/upx/upx-lzma-sdk/archive/%{version}.tar.gz/upx-lzma-sdk-%{version}.tar.gz
 Patch0:		upx-whitespace.patch
 Patch1:         upx-nohtml.patch
+Patch2:         276b748aa6021c38a2dc699153f61b10e76bc3d2.patch
+Patch3:         58b122d97da1e02dfec24b10b6b8f56218b5622c.patch
+Patch4:         6a53c0b3d499d62346a5c51034db543a4ef78ea3.patch
+
 
 BuildRequires:  gcc-c++
 BuildRequires:  ucl-devel >= 1.01
@@ -30,6 +34,9 @@ tar xfz %{SOURCE1} --strip-components=1 -C src/lzma-sdk/
 
 %patch0 -p0
 %patch1 -p0
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
 export CXX="g++"
@@ -53,6 +60,9 @@ install -Dpm 755 src/upx.out $RPM_BUILD_ROOT%{_bindir}/upx
 
 
 %changelog
+* Thu Aug 01 2019 Gwyn Ciesla <gwync@protonmail.com> - 3.95-4
+- Upstream patches for CVE-2019-14295 and CVE-2019-14296.
+
 * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.95-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild