OpenE2K/binutils-gdb
12
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Prevent a potential use-after-fee memory corruption bug in the linker (for PE format files).

Browse Source 
PR 25993
	* emultempl/pe.em (_after_open): Check for duplicate filename
	pointers before renaming the dll.
	* emultempl/pep.em (_after_open): Likewise.
This commit is contained in:
Nick Clifton 2020-05-18 10:28:52 +01:00
parent d402189f2f
commit 5e365e474b
3 changed files with 46 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ld/ChangeLog
View File

@ -1,3 +1,10 @@
2020-05-18 Nick Clifton <nickc@redhat.com>
PR 25993
* emultempl/pe.em (_after_open): Check for duplicate filename
pointers before renaming the dll.
* emultempl/pep.em (_after_open): Likewise.
2020-05-13 Nick Clifton <nickc@redhat.com>
PR 25979

14
ld/emultempl/pe.em
View File

@ -1655,6 +1655,19 @@ gld_${EMULATION_NAME}_after_open (void)
else /* sentinel */
seq = 'c';
/* PR 25993: It is possible that is->the_bfd-filename == is->filename.
In which case calling bfd_set_filename on one will free the memory
pointed to by the other. */
if (is->filename == is->the_bfd->filename)
{
new_name = xmalloc (strlen (is->filename) + 3);
sprintf (new_name, "%s.%c", is->filename, seq);
bfd_set_filename (is->the_bfd, new_name);
is->filename = new_name;
}
else
{
new_name = xmalloc (strlen (is->the_bfd->filename) + 3);
sprintf (new_name, "%s.%c", is->the_bfd->filename, seq);
bfd_set_filename (is->the_bfd, new_name);
@ -1666,6 +1679,7 @@ gld_${EMULATION_NAME}_after_open (void)
}
}
}
}
{
/* The following chunk of code tries to identify jump stubs in

13
ld/emultempl/pep.em
View File

@ -1623,6 +1623,18 @@ gld_${EMULATION_NAME}_after_open (void)
else /* sentinel */
seq = 'c';
/* PR 25993: It is possible that is->the_bfd-filename == is->filename.
In which case calling bfd_set_filename on one will free the memory
pointed to by the other. */
if (is->filename == is->the_bfd->filename)
{
new_name = xmalloc (strlen (is->filename) + 3);
sprintf (new_name, "%s.%c", is->filename, seq);
bfd_set_filename (is->the_bfd, new_name);
is->filename = new_name;
}
else
{
new_name = xmalloc (strlen (is->the_bfd->filename) + 3);
sprintf (new_name, "%s.%c", is->the_bfd->filename, seq);
bfd_set_filename (is->the_bfd, new_name);
@ -1635,6 +1647,7 @@ gld_${EMULATION_NAME}_after_open (void)
}
}
}
}
static void
gld_${EMULATION_NAME}_before_allocation (void)