asan: readelf: use after free in process_archive

This tidies up in cases where fuzzed thin archives hit the error return
path in setup_nested_archive.

	* elfcomm.c (setup_nested_archive): Set nested_arch->file to NULL
	after freeing.
	(release_archive): Set fields of arch to NULL after freeing.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 95a868ae684c1af8dc92d6890174f352f56ccb01..13d9c3e0576a967358ff5dfdf085120aaf2c6759 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2020-06-27  Alan Modra  <amodra@gmail.com>
+
+       * elfcomm.c (setup_nested_archive): Set nested_arch->file to NULL
+       after freeing.
+       (release_archive): Set fields of arch to NULL after freeing.
+
 2020-06-26  Nick Alcock  <nick.alcock@oracle.com>
 
        * readelf.c (dump_section_as_ctf): Support .ctf archives using

diff --git a/binutils/elfcomm.c b/binutils/elfcomm.c
index 558afa7d056c29304a2bf2c4061ffad5341a9841..37f9dbe7eef7c096b768d06455f4613e2a2a6726 100644 (file)
--- a/binutils/elfcomm.c
+++ b/binutils/elfcomm.c
@@ -727,7 +727,10 @@ setup_nested_archive (struct archive_info *nested_arch,
 
   /* Close previous file and discard cached information.  */
   if (nested_arch->file != NULL)
-    fclose (nested_arch->file);
+    {
+      fclose (nested_arch->file);
+      nested_arch->file = NULL;
+    }
   release_archive (nested_arch);
 
   member_file = fopen (member_file_name, "rb");
@@ -748,6 +751,10 @@ release_archive (struct archive_info * arch)
   free (arch->index_array);
   free (arch->sym_table);
   free (arch->longnames);
+  arch->file_name = NULL;
+  arch->index_array = NULL;
+  arch->sym_table = NULL;
+  arch->longnames = NULL;
 }
 
 /* Get the name of an archive member from the current archive header.