From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 15 Apr 2020 18:58:11 +0930 Subject: PR25823, Use after free in bfd_hash_lookup PR 25823 * peXXigen.c (_bfd_XXi_swap_sym_in ): Don't use a pointer into strings that may be freed for section name, always allocate a new string. --- bfd/ChangeLog | 7 +++++++ bfd/peXXigen.c | 20 ++++++++++---------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index c301501..e837fdc 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,10 @@ +2020-04-15 Alan Modra + + PR 25823 + * peXXigen.c (_bfd_XXi_swap_sym_in ): Don't use a + pointer into strings that may be freed for section name, always + allocate a new string. + 2020-04-14 Juan Manuel Guerrero Jan W. Jagersma diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index b9eeb77..8aa5914 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1) int unused_section_number = 0; asection *sec; flagword flags; + size_t name_len; + char *sec_name; for (sec = abfd->sections; sec; sec = sec->next) if (unused_section_number <= sec->target_index) unused_section_number = sec->target_index + 1; - if (name == namebuf) + name_len = strlen (name) + 1; + sec_name = bfd_alloc (abfd, name_len); + if (sec_name == NULL) { - name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1); - if (name == NULL) - { - _bfd_error_handler (_("%pB: out of memory creating name for empty section"), - abfd); - return; - } - strcpy ((char *) name, namebuf); + _bfd_error_handler (_("%pB: out of memory creating name " + "for empty section"), abfd); + return; } + memcpy (sec_name, name, name_len); flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD; - sec = bfd_make_section_anyway_with_flags (abfd, name, flags); + sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags); if (sec == NULL) { _bfd_error_handler (_("%pB: unable to create fake empty section"), -- cgit v1.1