From ed02cdb5b78d17429f7e873acc49d94a5a0223d8 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 18 May 2020 15:52:03 +0100 Subject: [PATCH] Fix a use-after-free bug in the BFD library when scanning a corrupt ELF file. PR 26005 * elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory for the sections_being_created array. --- bfd/ChangeLog | 6 ++++++ bfd/elf.c | 9 +++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 0e5dec08d6..6b3c94b39f 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2020-05-18 Nick Clifton + + PR 26005 + * elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory + for the sections_being_created array. + 2020-05-18 Alan Modra * ecoff.c (ecoff_slurp_reloc_table): Malloc external_relocs so diff --git a/bfd/elf.c b/bfd/elf.c index e9c525974b..c74d95b442 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -2071,7 +2071,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) if (sections_being_created == NULL) { size_t amt = elf_numsections (abfd) * sizeof (bfd_boolean); - sections_being_created = (bfd_boolean *) bfd_zalloc (abfd, amt); + + /* PR 26005: Do not use bfd_zalloc here as the memory might + be released before the bfd has been fully scanned. */ + sections_being_created = (bfd_boolean *) bfd_malloc (amt); + memset (sections_being_created, FALSE, amt); if (sections_being_created == NULL) return FALSE; sections_being_created_abfd = abfd; @@ -2611,8 +2615,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) sections_being_created [shindex] = FALSE; if (-- nesting == 0) { + free (sections_being_created); sections_being_created = NULL; - sections_being_created_abfd = abfd; + sections_being_created_abfd = NULL; } return ret; } -- 2.34.1