57 lines
1.8 KiB
Diff
57 lines
1.8 KiB
Diff
From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001
|
|
From: Alan Modra <amodra@gmail.com>
|
|
Date: Wed, 15 Apr 2020 18:58:11 +0930
|
|
Subject: [PATCH] PR25823, Use after free in bfd_hash_lookup
|
|
|
|
PR 25823
|
|
* peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a
|
|
pointer into strings that may be freed for section name, always
|
|
allocate a new string.
|
|
---
|
|
bfd/peXXigen.c | 20 ++++++++++----------
|
|
1 files changed, 10 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
|
|
index b9eeb77..8aa5914 100644
|
|
--- a/bfd/peXXigen.c
|
|
+++ b/bfd/peXXigen.c
|
|
@@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1)
|
|
int unused_section_number = 0;
|
|
asection *sec;
|
|
flagword flags;
|
|
+ size_t name_len;
|
|
+ char *sec_name;
|
|
|
|
for (sec = abfd->sections; sec; sec = sec->next)
|
|
if (unused_section_number <= sec->target_index)
|
|
unused_section_number = sec->target_index + 1;
|
|
|
|
- if (name == namebuf)
|
|
+ name_len = strlen (name) + 1;
|
|
+ sec_name = bfd_alloc (abfd, name_len);
|
|
+ if (sec_name == NULL)
|
|
{
|
|
- name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1);
|
|
- if (name == NULL)
|
|
- {
|
|
- _bfd_error_handler (_("%pB: out of memory creating name for empty section"),
|
|
- abfd);
|
|
- return;
|
|
- }
|
|
- strcpy ((char *) name, namebuf);
|
|
+ _bfd_error_handler (_("%pB: out of memory creating name "
|
|
+ "for empty section"), abfd);
|
|
+ return;
|
|
}
|
|
+ memcpy (sec_name, name, name_len);
|
|
|
|
flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD;
|
|
- sec = bfd_make_section_anyway_with_flags (abfd, name, flags);
|
|
+ sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags);
|
|
if (sec == NULL)
|
|
{
|
|
_bfd_error_handler (_("%pB: unable to create fake empty section"),
|
|
--
|
|
1.8.3.1
|
|
|