fix use-after-free in normalizeNoteSegments

Mic92 · Mic92 · commit bf62fda4ecab · 2021-08-21T09:43:23.000+02:00
diff --git a/src/patchelf.cc b/src/patchelf.cc
@@ -1025,6 +1025,7 @@ void ElfFile<ElfFileParamNames>::normalizeNoteSegments()
         [this](std::pair<const std::string, std::string> & i) { return rdi(findSection(i.first).sh_type) == SHT_NOTE; });
     if (!replaced_note) return;
 
+    std::vector<Elf_Phdr> newPhdrs;
     for (auto & phdr : phdrs) {
         if (rdi(phdr.p_type) != PT_NOTE) continue;
 
@@ -1061,11 +1062,13 @@ void ElfFile<ElfFileParamNames>::normalizeNoteSegments()
             if (curr_off == start_off)
                 phdr = new_phdr;
             else
-                phdrs.push_back(new_phdr);
+                newPhdrs.push_back(new_phdr);
 
             curr_off += size;
         }
     }
+    phdrs.insert(phdrs.end(), newPhdrs.begin(), newPhdrs.end());
+
     wri(hdr->e_phnum, phdrs.size());
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1025,6 +1025,7 @@ void ElfFile<ElfFileParamNames>::normalizeNoteSegments()`
`1025`	`1025`	`[this](std::pair<const std::string, std::string> & i) { return rdi(findSection(i.first).sh_type) == SHT_NOTE; });`
`1026`	`1026`	`if (!replaced_note) return;`
`1027`	`1027`
	`1028`	`+ std::vector<Elf_Phdr> newPhdrs;`
`1028`	`1029`	`for (auto & phdr : phdrs) {`
`1029`	`1030`	`if (rdi(phdr.p_type) != PT_NOTE) continue;`
`1030`	`1031`
`@@ -1061,11 +1062,13 @@ void ElfFile<ElfFileParamNames>::normalizeNoteSegments()`
`1061`	`1062`	`if (curr_off == start_off)`
`1062`	`1063`	`phdr = new_phdr;`
`1063`	`1064`	`else`
`1064`		`- phdrs.push_back(new_phdr);`
	`1065`	`+ newPhdrs.push_back(new_phdr);`
`1065`	`1066`
`1066`	`1067`	`curr_off += size;`
`1067`	`1068`	`}`
`1068`	`1069`	`}`
	`1070`	`+ phdrs.insert(phdrs.end(), newPhdrs.begin(), newPhdrs.end());`
	`1071`	`+`
`1069`	`1072`	`wri(hdr->e_phnum, phdrs.size());`
`1070`	`1073`	`}`
`1071`	`1074`