Fix a use-after-free bug in the BFD library when scanning a corrupt ELF file.
PR 26005 * elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory for the sections_being_created array.
This commit is contained in:
parent
1d72769534
commit
ed02cdb5b7
|
@ -1,3 +1,9 @@
|
||||||
|
2020-05-18 Nick Clifton <nickc@redhat.com>
|
||||||
|
|
||||||
|
PR 26005
|
||||||
|
* elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory
|
||||||
|
for the sections_being_created array.
|
||||||
|
|
||||||
2020-05-18 Alan Modra <amodra@gmail.com>
|
2020-05-18 Alan Modra <amodra@gmail.com>
|
||||||
|
|
||||||
* ecoff.c (ecoff_slurp_reloc_table): Malloc external_relocs so
|
* ecoff.c (ecoff_slurp_reloc_table): Malloc external_relocs so
|
||||||
|
|
|
@ -2071,7 +2071,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
|
||||||
if (sections_being_created == NULL)
|
if (sections_being_created == NULL)
|
||||||
{
|
{
|
||||||
size_t amt = elf_numsections (abfd) * sizeof (bfd_boolean);
|
size_t amt = elf_numsections (abfd) * sizeof (bfd_boolean);
|
||||||
sections_being_created = (bfd_boolean *) bfd_zalloc (abfd, amt);
|
|
||||||
|
/* PR 26005: Do not use bfd_zalloc here as the memory might
|
||||||
|
be released before the bfd has been fully scanned. */
|
||||||
|
sections_being_created = (bfd_boolean *) bfd_malloc (amt);
|
||||||
|
memset (sections_being_created, FALSE, amt);
|
||||||
if (sections_being_created == NULL)
|
if (sections_being_created == NULL)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
sections_being_created_abfd = abfd;
|
sections_being_created_abfd = abfd;
|
||||||
|
@ -2611,8 +2615,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
|
||||||
sections_being_created [shindex] = FALSE;
|
sections_being_created [shindex] = FALSE;
|
||||||
if (-- nesting == 0)
|
if (-- nesting == 0)
|
||||||
{
|
{
|
||||||
|
free (sections_being_created);
|
||||||
sections_being_created = NULL;
|
sections_being_created = NULL;
|
||||||
sections_being_created_abfd = abfd;
|
sections_being_created_abfd = NULL;
|
||||||
}
|
}
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue