diff options
author | Alan Modra <amodra@gmail.com> | 2020-12-14 19:36:47 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2020-12-14 23:36:19 +1030 |
commit | a86c6c19643e9ac795b17846e5b0db8b3e4c54de (patch) | |
tree | f5386f7ef68e42eb20296f3b436e0d947fbfa136 /bfd/elfcode.h | |
parent | PR26836, memory leak in parse_args (diff) | |
download | binutils-gdb-a86c6c19643e9ac795b17846e5b0db8b3e4c54de.tar.gz binutils-gdb-a86c6c19643e9ac795b17846e5b0db8b3e4c54de.tar.bz2 binutils-gdb-a86c6c19643e9ac795b17846e5b0db8b3e4c54de.zip |
Put bfd_section_from_shdr loop detection array in elf_tdata
The static variables used by bfd_section_from_shdr to detect loops
in ELF sections have a problem: Comparing a BFD pointer doesn't
guarantee that the current bfd is the same as the one previously used
to allocate the sections_being_created array. For example, doing
size bad_elf_1 bad_elf_2
with two corrupted ELF files containing section loops will leave the
section_being_created array allocated for the first file and since
bfd_close is called for bad_elf_1 before bfd_elf_2 is opened, it is
possible that the BFD for the second file is allocated in the same
memory as the first file. If bad_elf_2 has more sections than
bad_elf_1 then we might write beyond the end of the array.
So this patch implements the FIXME Nick put in a comment about
attaching the array to the BFD.
* elf-bfd.h (struct elf_obj_tdata): Add being_created.
* elf.c (bfd_section_from_shdr): Delete static vars for loop
detection. Use new tdata variable instead.
* elfcode.h (elf_object_p): Allocate being_created.
Diffstat (limited to 'bfd/elfcode.h')
-rw-r--r-- | bfd/elfcode.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/bfd/elfcode.h b/bfd/elfcode.h index c7da8f6c074..072220e220a 100644 --- a/bfd/elfcode.h +++ b/bfd/elfcode.h @@ -704,6 +704,9 @@ elf_object_p (bfd *abfd) elf_elfsections (abfd) = (Elf_Internal_Shdr **) bfd_alloc (abfd, amt); if (!elf_elfsections (abfd)) goto got_no_match; + elf_tdata (abfd)->being_created = bfd_zalloc (abfd, num_sec); + if (!elf_tdata (abfd)->being_created) + goto got_no_match; memcpy (i_shdrp, &i_shdr, sizeof (*i_shdrp)); for (shdrp = i_shdrp, shindex = 0; shindex < num_sec; shindex++) |