From 80e2a3b66ed9055fc26a1e5e26c6158b1c87111d Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Fri, 27 Mar 2020 10:30:56 +1030
Subject: [PATCH] Re: readelf looping in process_archive

This patch fixes a leak of qualified_name caused by 4c83662712 and a
double free introduced by fd486f32d1.  Not breaking out of the loop
results in an error: "failed to seek to next archive header".  That's
slightly better than silently preventing the possibility of endless
loops.

	* readelf.c (process_archive): Don't double free qualified_name.
	Don't break out of loop with "negative" archive_file_size, just
	set file offset to max.
---
 binutils/ChangeLog | 6 ++++++
 binutils/readelf.c | 3 +--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 2f551f10316..efc2e9e2ae2 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2020-03-27  Alan Modra  <amodra@gmail.com>
+
+	* readelf.c (process_archive): Don't double free qualified_name.
+	Don't break out of loop with "negative" archive_file_size, just
+	set file offset to max.
+
 2020-03-25  Alan Modra  <amodra@gmail.com>
 
 	* readelf.c (process_archive): Prevent endless loop.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 9bc15e4d0b2..eb41e10dae9 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -20461,7 +20461,6 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
 
 	  close_file (member_filedata);
 	  free (member_file_name);
-	  free (qualified_name);
 	}
       else if (is_thin_archive)
 	{
@@ -20511,7 +20510,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
 	  arch.next_arhdr_offset += archive_file_size;
 	  /* Stop looping with "negative" archive_file_size.  */
 	  if (arch.next_arhdr_offset < archive_file_size)
-	    break;
+	    arch.next_arhdr_offset = -1ul;
 	}
 
       free (qualified_name);
-- 
2.30.2