fix use-after-free in normalizeNoteSegments

Mic92 · Mic92 · commit 671f0cff5158 · 2021-08-18T09:11:27.000+02:00
diff --git a/src/patchelf.cc b/src/patchelf.cc
@@ -1011,6 +1011,7 @@ void ElfFile<ElfFileParamNames>::normalizeNoteSegments()
         [this](std::pair<const std::string, std::string> & i) { return rdi(findSection(i.first).sh_type) == SHT_NOTE; });
     if (!replaced_note) return;
 
+    std::vector<Elf_Phdr> newPhdrs;
     for (auto & phdr : phdrs) {
         if (rdi(phdr.p_type) != PT_NOTE) continue;
 
@@ -1047,11 +1048,13 @@ void ElfFile<ElfFileParamNames>::normalizeNoteSegments()
             if (curr_off == start_off)
                 phdr = new_phdr;
             else
-                phdrs.push_back(new_phdr);
+                newPhdrs.push_back(new_phdr);
 
             curr_off += size;
         }
     }
+    phdrs.insert(phdrs.end(), newPhdrs.begin(), newPhdrs.end());
+
     wri(hdr->e_phnum, phdrs.size());
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1011,6 +1011,7 @@ void ElfFile<ElfFileParamNames>::normalizeNoteSegments()`
`1011`	`1011`	`[this](std::pair<const std::string, std::string> & i) { return rdi(findSection(i.first).sh_type) == SHT_NOTE; });`
`1012`	`1012`	`if (!replaced_note) return;`
`1013`	`1013`
	`1014`	`+ std::vector<Elf_Phdr> newPhdrs;`
`1014`	`1015`	`for (auto & phdr : phdrs) {`
`1015`	`1016`	`if (rdi(phdr.p_type) != PT_NOTE) continue;`
`1016`	`1017`
`@@ -1047,11 +1048,13 @@ void ElfFile<ElfFileParamNames>::normalizeNoteSegments()`
`1047`	`1048`	`if (curr_off == start_off)`
`1048`	`1049`	`phdr = new_phdr;`
`1049`	`1050`	`else`
`1050`		`- phdrs.push_back(new_phdr);`
	`1051`	`+ newPhdrs.push_back(new_phdr);`
`1051`	`1052`
`1052`	`1053`	`curr_off += size;`
`1053`	`1054`	`}`
`1054`	`1055`	`}`
	`1056`	`+ phdrs.insert(phdrs.end(), newPhdrs.begin(), newPhdrs.end());`
	`1057`	`+`
`1055`	`1058`	`wri(hdr->e_phnum, phdrs.size());`
`1056`	`1059`	`}`
`1057`	`1060`