PR26741, benign use after free in riscv_parse_prefixed_ext

amodra · amodra · commit e9cf3691bfa1 · 2021-01-04T11:08:05.000+10:30
ISO/IEC 9899:1999 C standard "J.2 Undefined behavior" says the
following is undefined behaviour:

"The value of a pointer that refers to space deallocated by a call to
the free or realloc function is used (7.20.3)."

	PR 26741
	* elfxx-riscv.c (riscv_parse_prefixed_ext): Free subset after
	calculating subset version length.
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2021-01-04  Alan Modra  <amodra@gmail.com>
+
+	PR 26741
+	* elfxx-riscv.c (riscv_parse_prefixed_ext): Free subset after
+	calculating subset version length.
+
 2021-01-01  Nicolas Boulenguez  <nicolas@debian.org>
 
 	* xcofflink.c: Correct spelling in comments.
diff --git a/bfd/elfxx-riscv.c b/bfd/elfxx-riscv.c
@@ -1572,8 +1572,8 @@ riscv_parse_prefixed_ext (riscv_parse_subset_t *rps,
       riscv_parse_add_subset (rps, subset,
 			      major_version,
 			      minor_version, FALSE);
-      free (subset);
       p += end_of_version - subset;
+      free (subset);
 
       if (*p != '\0' && *p != '_')
 	{

Original file line number	Diff line number	Diff line change
`@@ -1572,8 +1572,8 @@ riscv_parse_prefixed_ext (riscv_parse_subset_t *rps,`
`1572`	`1572`	`riscv_parse_add_subset (rps, subset,`
`1573`	`1573`	`major_version,`
`1574`	`1574`	`minor_version, FALSE);`
`1575`		`- free (subset);`
`1576`	`1575`	`p += end_of_version - subset;`
	`1576`	`+ free (subset);`
`1577`	`1577`
`1578`	`1578`	`if (p != '\0' && p != '_')`
`1579`	`1579`	`{`