Fix a use-after-free bug in the BFD library when scanning a corrupt ELF file.

	PR 26005
	* elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory
	for the sections_being_created array.

2 files changed, 13 insertions, 2 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 0e5dec08d6a..6b3c94b39f8 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2020-05-18  Nick Clifton  <nickc@redhat.com>
+
+	PR 26005
+	* elf.c (bfd_section_from_shdr): Use bfd_malloc to allocate memory
+	for the sections_being_created array.
+
 2020-05-18  Alan Modra  <amodra@gmail.com>
 
 	* ecoff.c (ecoff_slurp_reloc_table): Malloc external_relocs so
diff --git a/bfd/elf.c b/bfd/elf.c
index e9c525974bb..c74d95b442d 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -2071,7 +2071,11 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
       if (sections_being_created == NULL)
 	{
 	  size_t amt = elf_numsections (abfd) * sizeof (bfd_boolean);
-	  sections_being_created = (bfd_boolean *) bfd_zalloc (abfd, amt);
+
+	  /* PR 26005: Do not use bfd_zalloc here as the memory might
+	     be released before the bfd has been fully scanned.  */
+	  sections_being_created = (bfd_boolean *) bfd_malloc (amt);
+	  memset (sections_being_created, FALSE, amt);
 	  if (sections_being_created == NULL)
 	    return FALSE;
 	  sections_being_created_abfd = abfd;
@@ -2611,8 +2615,9 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
     sections_being_created [shindex] = FALSE;
   if (-- nesting == 0)
     {
+      free (sections_being_created);
       sections_being_created = NULL;
-      sections_being_created_abfd = abfd;
+      sections_being_created_abfd = NULL;
     }
   return ret;
 }