From 66b2f3a60329d81b500280ffc6f3378699ab6a9c Mon Sep 17 00:00:00 2001
From: hugel <2712504175@qq.com>
Date: Wed, 6 Aug 2025 15:00:39 +0800
Subject: [PATCH] backport Fix double free in compute_abbrevs

---
 ...t-Fix-double-free-in-compute_abbrevs.patch | 64 +++++++++++++++++++
 dwz.spec                                      |  6 +-
 2 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 backport-Fix-double-free-in-compute_abbrevs.patch

diff --git a/backport-Fix-double-free-in-compute_abbrevs.patch b/backport-Fix-double-free-in-compute_abbrevs.patch
new file mode 100644
index 0000000..a64856d
--- /dev/null
+++ b/backport-Fix-double-free-in-compute_abbrevs.patch
@@ -0,0 +1,64 @@
+From ed021b829933e5f9ee90587196ba941c30ac832a Mon Sep 17 00:00:00 2001
+From: Tom de Vries <tdevries@suse.de>
+Date: Mon, 12 May 2025 14:01:40 +0200
+Subject: [PATCH] Fix double free in compute_abbrevs
+
+PR32934 reports an abort in obstack_free after a double free.
+
+The relevant code is in compute_abbrevs:
+...
+  t = (struct abbrev_tag *)
+      obstack_alloc (&ob2,
+                     sizeof (*t)
+                     + (max_nattr + 4) * sizeof (struct abbrev_attr)
+                     + (max_nattr + 4) * sizeof (int64_t));
+  ...
+  obstack_free (&ob2, (void *) t);
+  cuarr = (dw_cu_ref *) obstack_alloc (&ob2, ncus * sizeof (dw_cu_ref));
+  ...
+  obstack_free (&ob2, (void *) t);
+...
+
+The following happens:
+- t is allocated
+- t is freed
+- cuarr is allocated
+- t is freed.
+
+Usually, cuarr == t, so effectively cuarr is freed.
+
+But in the case of the PR, cuarr != t, so t is freed twice, triggering the
+abort.
+
+Fix this by freeing cuarr instead.
+
+Tested on x86_64-linux.
+
+Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=32934
+
+2025-05-12  Tom de Vries  <tdevries@suse.de>
+
+	* dwz.c (compute_abbrevs): Free cuarr instead of double-freeing	t.
+
+Conflict:NA
+Reference:https://sourceware.org/git/?p=dwz.git;a=patch;h=ed021b829933e5f9ee90587196ba941c30ac832a
+
+---
+ dwz.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dwz.c b/dwz.c
+index da4121f..a27eb4d 100644
+--- a/dwz.c
++++ b/dwz.c
+@@ -11813,7 +11813,7 @@ compute_abbrevs (DSO *dso)
+ 	}
+       obstack_free (&ob2, (void *) arr);
+     }
+-  obstack_free (&ob2, (void *) t);
++  obstack_free (&ob2, (void *) cuarr);
+   for (cu = first_cu; cu; cu = cu->cu_next)
+     {
+       struct abbrev_tag **arr;
+-- 
+2.43.5
diff --git a/dwz.spec b/dwz.spec
index 2500ec9..ed3748e 100644
--- a/dwz.spec
+++ b/dwz.spec
@@ -1,6 +1,6 @@
 Name: dwz
 Version: 0.14
-Release: 5
+Release: 6
 Summary: A DWARF optimization and duplicate removal tool
 License: GPLv2+ and GPLv3+
 URL: https://sourceware.org/dwz/
@@ -10,6 +10,7 @@ Patch1: testsuite-Handle-readelf-following-links-by-default.patch
 Patch2: backport-Fix-low-mem-memory-leak.patch
 Patch3: backport-Fix-memory-leak-in-write_multifile.patch
 Patch4: backport-Fix-memory-leak-in-build_abbrevs.patch
+Patch5: backport-Fix-double-free-in-compute_abbrevs.patch
 
 BuildRequires:gcc elfutils-libelf-devel dejagnu gcc-c++ gdb
 
@@ -57,6 +58,9 @@ make check
 %{_mandir}/man1/dwz*
 
 %changelog
+* Wed Aug 06 2025 hugel <gengqihu2@h-partners.com> - 0.14-6
+- backport Fix double free in compute_abbrevs
+
 * Tue Dec 24 2024 hugel <gengqihu2@h-partners.com> - 0.14-5
 - fix some memory leaks
 
-- 
Gitee