From e9cf3691bfa140469d52815a2307b00eecf7917c Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Mon, 4 Jan 2021 10:19:14 +1030
Subject: [PATCH] PR26741, benign use after free in riscv_parse_prefixed_ext

ISO/IEC 9899:1999 C standard "J.2 Undefined behavior" says the
following is undefined behaviour:

"The value of a pointer that refers to space deallocated by a call to
the free or realloc function is used (7.20.3)."

	PR 26741
	* elfxx-riscv.c (riscv_parse_prefixed_ext): Free subset after
	calculating subset version length.
---
 bfd/ChangeLog     | 6 ++++++
 bfd/elfxx-riscv.c | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index d760a4a71b0..a72e811b1c9 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2021-01-04  Alan Modra  <amodra@gmail.com>
+
+	PR 26741
+	* elfxx-riscv.c (riscv_parse_prefixed_ext): Free subset after
+	calculating subset version length.
+
 2021-01-01  Nicolas Boulenguez  <nicolas@debian.org>
 
 	* xcofflink.c: Correct spelling in comments.
diff --git a/bfd/elfxx-riscv.c b/bfd/elfxx-riscv.c
index 9d7f6069952..101e27f8202 100644
--- a/bfd/elfxx-riscv.c
+++ b/bfd/elfxx-riscv.c
@@ -1572,8 +1572,8 @@ riscv_parse_prefixed_ext (riscv_parse_subset_t *rps,
       riscv_parse_add_subset (rps, subset,
 			      major_version,
 			      minor_version, FALSE);
-      free (subset);
       p += end_of_version - subset;
+      free (subset);
 
       if (*p != '\0' && *p != '_')
 	{
-- 
2.30.2