CVE-2020-16592: use-after-free in bfd_hash_lookup (binutils 2.34 BFD library)

CVE-2020-16592: use-after-free in bfd_hash_lookup in binutils BFD library. bfd_hash_table_free() frees the objalloc but leaves table->table pointing to the now-freed bucket array and table->size unchanged. Any subsequent call to bfd_hash_lookup() on the freed table reads freed memory at table->table[_index]. Triggered during section merging when _bfd_merge_sections_free() (which calls bfd_hash_table_free + free(sinfo->htab)) runs while sec_merge_sec_info structs in elf_section_data still hold a dangling secinfo->htab pointer. If _bfd_merged_section_offset is then called, it dereferences secinfo->htab (freed) to check secinfo->htab->strings, then calls sec_merge_hash_lookup which accesses the freed hash bucket array. Can reach abort() via reachable assertions at lines 929/933/935 in merge.c.