projects / binutils-gdb.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0ca4866)
PR25823, Use after free in bfd_hash_lookup
authorAlan Modra <amodra@gmail.com>
Wed, 15 Apr 2020 09:28:11 +0000 (18:58 +0930)
committerAlan Modra <amodra@gmail.com>
Wed, 15 Apr 2020 09:32:26 +0000 (19:02 +0930)
PR 25823
* peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a
pointer into strings that may be freed for section name, always
allocate a new string.

bfd/ChangeLog patch | blob | history
bfd/peXXigen.c patch | blob | history

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index c3015012ab38cc27a7146eb1c802ac6806022f31..e837fdc133465b5c5eeeb2a126ebb907f819d3f6 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2020-04-15  Alan Modra  <amodra@gmail.com>
+
+       PR 25823
+       * peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a
+       pointer into strings that may be freed for section name, always
+       allocate a new string.
+
 2020-04-14  Juan Manuel Guerrero  <juan.guerrero@gmx.de>
             Jan W. Jagersma  <jwjagersma@gmail.com>
 
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index b9eeb775d9b1ba0c452e3b1fe541a2f27e412f8a..8aa5914acd93845e27b1362af22093b0866ee269 100644 (file)
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1)
          int unused_section_number = 0;
          asection *sec;
          flagword flags;
+         size_t name_len;
+         char *sec_name;
 
          for (sec = abfd->sections; sec; sec = sec->next)
            if (unused_section_number <= sec->target_index)
              unused_section_number = sec->target_index + 1;
 
-         if (name == namebuf)
+         name_len = strlen (name) + 1;
+         sec_name = bfd_alloc (abfd, name_len);
+         if (sec_name == NULL)
            {
-             name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1);
-             if (name == NULL)
-               {
-                 _bfd_error_handler (_("%pB: out of memory creating name for empty section"),
-                                     abfd);
-                 return;
-               }
-             strcpy ((char *) name, namebuf);
+             _bfd_error_handler (_("%pB: out of memory creating name "
+                                   "for empty section"), abfd);
+             return;
            }
+         memcpy (sec_name, name, name_len);
 
          flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD;
-         sec = bfd_make_section_anyway_with_flags (abfd, name, flags);
+         sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags);
          if (sec == NULL)
            {
              _bfd_error_handler (_("%pB: unable to create fake empty section"),