PR26741, benign use after free in riscv_parse_prefixed_ext

ISO/IEC 9899:1999 C standard "J.2 Undefined behavior" says the
following is undefined behaviour:

"The value of a pointer that refers to space deallocated by a call to
the free or realloc function is used (7.20.3)."

	PR 26741
	* elfxx-riscv.c (riscv_parse_prefixed_ext): Free subset after
	calculating subset version length.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index d760a4a71b0d1acf79919a10ac0d5da63a7a9411..a72e811b1c9be2cf803ece69a6e4e0647d6c6179 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2021-01-04  Alan Modra  <amodra@gmail.com>
+
+       PR 26741
+       * elfxx-riscv.c (riscv_parse_prefixed_ext): Free subset after
+       calculating subset version length.
+
 2021-01-01  Nicolas Boulenguez  <nicolas@debian.org>
 
        * xcofflink.c: Correct spelling in comments.

diff --git a/bfd/elfxx-riscv.c b/bfd/elfxx-riscv.c
index 9d7f60699529f0add9d9fb2d09b19f502b559a0c..101e27f8202b61b7a1d3c47b9a583ea7899c9f3b 100644 (file)
--- a/bfd/elfxx-riscv.c
+++ b/bfd/elfxx-riscv.c
@@ -1572,8 +1572,8 @@ riscv_parse_prefixed_ext (riscv_parse_subset_t *rps,
       riscv_parse_add_subset (rps, subset,
                              major_version,
                              minor_version, FALSE);
-      free (subset);
       p += end_of_version - subset;
+      free (subset);
 
       if (*p != '\0' && *p != '_')
        {