diff options
| author | Nick Clifton <nickc@redhat.com> | 2020-05-18 15:52:03 +0100 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2020-05-18 15:52:03 +0100 |
| commit | ed02cdb5b78d17429f7e873acc49d94a5a0223d8 (patch) | |
| tree | ecfc3cc85c5cda5d67028af4d45a591443a9a439 /bfd/elf.c | |
| parent | 1d72769534bde2c366f670763105f714e0124d01 (diff) | |
| download | gdb-ed02cdb5b78d17429f7e873acc49d94a5a0223d8.zip gdb-ed02cdb5b78d17429f7e873acc49d94a5a0223d8.tar.gz gdb-ed02cdb5b78d17429f7e873acc49d94a5a0223d8.tar.bz2 | |
Fix a use-after-free bug in the BFD library when scanning a corrupt ELF file.
PR 26005
* elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory
for the sections_being_created array.
Diffstat (limited to 'bfd/elf.c')
| -rw-r--r-- | bfd/elf.c | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -2071,7 +2071,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) if (sections_being_created == NULL) { size_t amt = elf_numsections (abfd) * sizeof (bfd_boolean); - sections_being_created = (bfd_boolean *) bfd_zalloc (abfd, amt); + + /* PR 26005: Do not use bfd_zalloc here as the memory might + be released before the bfd has been fully scanned. */ + sections_being_created = (bfd_boolean *) bfd_malloc (amt); + memset (sections_being_created, FALSE, amt); if (sections_being_created == NULL) return FALSE; sections_being_created_abfd = abfd; @@ -2611,8 +2615,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) sections_being_created [shindex] = FALSE; if (-- nesting == 0) { + free (sections_being_created); sections_being_created = NULL; - sections_being_created_abfd = abfd; + sections_being_created_abfd = NULL; } return ret; } |