libdw_open_elf: Avoid invalid free

If libdw_open_elf detects an invalid ELF file, it may attempt to
temporarily treat it as an ELF archive in order to check if there's
a valid ELF file following a header.

When doing this, the elf descriptor for the invalid file is given
the dummy state.ar.elf_ar_hdr.ar_name "libdwfl is faking you out".

Afterwards libdw_open_elf will call elf_end on the elf descriptor
for the invalid ELF file.  elf_end will attempt to free the address
of the "libdwfl is faking you out" literal, causing an invalid free.

Fix this by setting the ar_name to NULL before libdw_open_elf calls
elf_end on the descriptor of the invalid ELF file.

Signed-off-by: Aaron Merey <amerey@redhat.com>

diff --git a/libdwfl/open.c b/libdwfl/open.c
index 43b29fa96429eeb6568477d117edc3dca0cffcab..03e66dfa5542d6b7b9669a68b8cf10d1c5de483e 100644 (file)
--- a/libdwfl/open.c
+++ b/libdwfl/open.c
@@ -153,6 +153,7 @@ libdw_open_elf (int *fdp, Elf **elfp, bool close_on_fail, bool archive_ok,
          elf->state.ar.offset = offset - sizeof (struct ar_hdr);
          Elf *subelf = elf_begin (-1, elf->cmd, elf);
          elf->kind = ELF_K_NONE;
+         elf->state.ar.elf_ar_hdr.ar_name = NULL;
          if (unlikely (subelf == NULL))
            error = DWFL_E_LIBELF;
          else