Hi, This patch ensure that when an error is detected, the freed variables in elf_symloadx() are reinitialised.
Else show_file() in nm.c will used these variables, even if they has just been freed. (nm.c +689). Problem found by afl. -- Sébastien Marie Index: elf.c =================================================================== RCS file: /cvs/src/usr.bin/nm/elf.c,v retrieving revision 1.28 diff -u -p -r1.28 elf.c --- elf.c 17 May 2015 20:19:08 -0000 1.28 +++ elf.c 19 Jun 2015 06:42:12 -0000 @@ -479,6 +479,7 @@ elf_symloadx(const char *name, FILE *fp, warn("%s: malloc names", name); if (stab) MUNMAP(stab, *pstabsize); + *pnrawnames = 0; return (1); } if ((*psnames = calloc(*pnrawnames, sizeof(np))) == NULL) { @@ -486,6 +487,8 @@ elf_symloadx(const char *name, FILE *fp, if (stab) MUNMAP(stab, *pstabsize); free(*pnames); + *pnames = NULL; + *pnrawnames = 0; return (1); } @@ -497,6 +500,9 @@ elf_symloadx(const char *name, FILE *fp, MUNMAP(stab, *pstabsize); free(*pnames); free(*psnames); + *pnames = NULL; + *psnames = NULL; + *pnrawnames = 0; return (1); } Index: util.h =================================================================== RCS file: /cvs/src/usr.bin/nm/util.h,v retrieving revision 1.3 diff -u -p -r1.3 util.h --- util.h 17 May 2015 20:19:08 -0000 1.3 +++ util.h 19 Jun 2015 06:42:12 -0000 @@ -26,6 +26,7 @@ munmap(addr, len); \ else \ free(addr); \ + addr = NULL; \ } while (0) extern int usemmap;