[BUG] A use after free bug in rdfload.c #3
Description
File: rdfload.c
Bug Function: rdfload/rdf_relocate
Version: Git-master/nasm-2.15.05
Description: I'll use the Git-master version as an example. In rdfload [rdfload.c, line 56], which is called by main() [rdx.c, line56].
m = rdfload(argv[1]);
Then, at [rdfload.c, line 111]:
rdfclose(&f->f);
freed &f->f and later returned f to m in main() [rdx.c, line56] above.
Then in main() [rdx.c, line 72]. :
rdf_relocate(m);
It is likely to cause a UAF bug in the fprintf[rdfload.c, line 206] .
fprintf(stderr, "%s: segment relocation not supported by this "
"loader\n", m->f.name);