If libdw_open_elf detects an invalid ELF file, it may attempt to temporarily treat it as an ELF archive in order to check if there's a valid ELF file following a header.
When doing this, the elf descriptor for the invalid file is given the dummy state.ar.elf_ar_hdr.ar_name "libdwfl is faking you out". Afterwards libdw_open_elf will call elf_end on the elf descriptor for the invalid ELF file. elf_end will attempt to free the address of the "libdwfl is faking you out" literal, causing an invalid free. Fix this by setting the ar_name to NULL before libdw_open_elf calls elf_end on the descriptor of the invalid ELF file. Signed-off-by: Aaron Merey <[email protected]> --- libdwfl/open.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libdwfl/open.c b/libdwfl/open.c index 43b29fa9..03e66dfa 100644 --- a/libdwfl/open.c +++ b/libdwfl/open.c @@ -153,6 +153,7 @@ libdw_open_elf (int *fdp, Elf **elfp, bool close_on_fail, bool archive_ok, elf->state.ar.offset = offset - sizeof (struct ar_hdr); Elf *subelf = elf_begin (-1, elf->cmd, elf); elf->kind = ELF_K_NONE; + elf->state.ar.elf_ar_hdr.ar_name = NULL; if (unlikely (subelf == NULL)) error = DWFL_E_LIBELF; else -- 2.51.0
