Fix a use-after-free bug in the BFD library when scanning a corrupt ELF file.

	PR 26005
	* elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory
	for the sections_being_created array.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 0e5dec08d6afce8a878c5ffe2720a1fa7d9f08f4..6b3c94b39f8eef1b51868c2c47b907ecd64f4650 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2020-05-18  Nick Clifton  <nickc@redhat.com>
+
+       PR 26005
+       * elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory
+       for the sections_being_created array.
+
 2020-05-18  Alan Modra  <amodra@gmail.com>
 
        * ecoff.c (ecoff_slurp_reloc_table): Malloc external_relocs so

diff --git a/bfd/elf.c b/bfd/elf.c
index e9c525974bbf9c347f6544bb41111e894e1c5fe1..c74d95b442de0636fef37102b77540b6ab58b2f4 100644 (file)
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -2071,7 +2071,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
       if (sections_being_created == NULL)
        {
          size_t amt = elf_numsections (abfd) * sizeof (bfd_boolean);
-         sections_being_created = (bfd_boolean *) bfd_zalloc (abfd, amt);
+
+         /* PR 26005: Do not use bfd_zalloc here as the memory might
+            be released before the bfd has been fully scanned.  */
+         sections_being_created = (bfd_boolean *) bfd_malloc (amt);
+         memset (sections_being_created, FALSE, amt);
          if (sections_being_created == NULL)
            return FALSE;
          sections_being_created_abfd = abfd;
@@ -2611,8 +2615,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
     sections_being_created [shindex] = FALSE;
   if (-- nesting == 0)
     {
+      free (sections_being_created);
       sections_being_created = NULL;
-      sections_being_created_abfd = abfd;
+      sections_being_created_abfd = NULL;
     }
   return ret;
 }