From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 15 Apr 2020 18:58:11 +0930 Subject: [PATCH] PR25823, Use after free in bfd_hash_lookup PR 25823 * peXXigen.c (_bfd_XXi_swap_sym_in ): Don't use a pointer into strings that may be freed for section name, always allocate a new string. Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=7ecb51549ab1ec22aba5aaf34b70323cf0b8509a] CVE: CVE-2020-16592 Signed-off-by: Chee Yang Lee --- bfd/peXXigen.c | 20 ++++++++++---------- 1 files changed, 10 insertions(+), 10 deletions(-) diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index b9eeb775d9b..8aa5914acd9 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1) int unused_section_number = 0; asection *sec; flagword flags; + size_t name_len; + char *sec_name; for (sec = abfd->sections; sec; sec = sec->next) if (unused_section_number <= sec->target_index) unused_section_number = sec->target_index + 1; - if (name == namebuf) + name_len = strlen (name) + 1; + sec_name = bfd_alloc (abfd, name_len); + if (sec_name == NULL) { - name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1); - if (name == NULL) - { - _bfd_error_handler (_("%pB: out of memory creating name for empty section"), - abfd); - return; - } - strcpy ((char *) name, namebuf); + _bfd_error_handler (_("%pB: out of memory creating name " + "for empty section"), abfd); + return; } + memcpy (sec_name, name, name_len); flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD; - sec = bfd_make_section_anyway_with_flags (abfd, name, flags); + sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags); if (sec == NULL) { _bfd_error_handler (_("%pB: unable to create fake empty section"), -- 2.27.0