From ecbbbdba7182865e522e0893915e9be487fe14b0 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 17 Mar 2020 16:45:07 +0000
Subject: [PATCH] Remove a double free in the BFD library triggered when
 parsing a corrupt file.

	PR 25687
	* elf.c (_bfd_elf_slurp_secondary_reloc_section): Remove redundant
	free.  Add free on another failure path.
---
 bfd/ChangeLog | 6 ++++++
 bfd/elf.c     | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 76e2ba0fb88..515ab02bf50 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2020-03-17  Nick Clifton  <nickc@redhat.com>
+
+	PR 25687
+	* elf.c (_bfd_elf_slurp_secondary_reloc_section): Remove redundant
+	free.  Add free on another failure path.
+
 2020-03-16  Alan Modra  <amodra@gmail.com>
 
 	PR 25675
diff --git a/bfd/elf.c b/bfd/elf.c
index 8ab7b3e2e81..2a299f15f00 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -12454,6 +12454,7 @@ _bfd_elf_slurp_secondary_reloc_section (bfd *      abfd,
 	  reloc_count = NUM_SHDR_ENTRIES (hdr);
 	  if (_bfd_mul_overflow (reloc_count, sizeof (arelent), & amt))
 	    {
+	      free (native_relocs);
 	      bfd_set_error (bfd_error_file_too_big);
 	      result = FALSE;
 	      continue;
@@ -12472,7 +12473,8 @@ _bfd_elf_slurp_secondary_reloc_section (bfd *      abfd,
 		  != hdr->sh_size))
 	    {
 	      free (native_relocs);
-	      free (internal_relocs);
+	      /* The internal_relocs will be freed when
+		 the memory for the bfd is released.  */
 	      result = FALSE;
 	      continue;
 	    }
-- 
2.30.2