Hi, This patch ensure that e_shentsize (sections header's size in bytes) is big enough to fill at least one Elf_Shdr.
Please note, I am not completely sure to have understand this part: calloc() is called with a dynamic element size (e_shentsize: readed for file), but the variable is declared as Elf_Shdr[] (array of Elf_Shdr: which is a fixed element size). While here, inverts calloc() arguments to be calloc(nmemb, size), according to fread() call after. This problem was found with afl, when e_shentsize was 1. -- Sébastien Marie Index: b/usr.bin/nm/elf.c =================================================================== --- a/usr.bin/nm/elf.c 2015-06-19 06:26:13.704127213 +0200 +++ b/usr.bin/nm/elf.c 2015-06-19 06:48:58.806582243 +0200 @@ -159,7 +159,12 @@ return (NULL); } - if ((shdr = calloc(head->e_shentsize, head->e_shnum)) == NULL) { + if (head->e_shentsize < sizeof(Elf_Shdr)) { + warnx("%s: inconsistent section header size", name); + return (NULL); + } + + if ((shdr = calloc(head->e_shnum, head->e_shentsize)) == NULL) { warn("%s: malloc shdr", name); return (NULL); }