On Sat, Jul 29, 2017 at 10:43:23AM +0100, Stuart Henderson wrote:
> I was just running nm over all of /usr/lib on a system with C in malloc
> flags and ran into this.
>
> $ MALLOC_OPTIONS=C nm -s libc.so.89.3.a
The bug seems to be in mmbr_name. First add one to len so there's space
for the null with strlcpy. Second when advancing p to the end of the
string, subtract one from len so that p points to the null not past the
null. I believe the latter fixes the issue as the later *p = '\0'; wrote
past the end of the allocation.
Aside: I'm not sure p -= (long)*name; is valid C. Shouldn't that be
something like off_t offset = p - *name; ... p = name + offset; ?
- Matthew Martin
diff --git nm.c nm.c
index 5d2a1bfeb61..085c4152fc6 100644
--- nm.c
+++ nm.c
@@ -310,7 +310,7 @@ mmbr_name(struct ar_hdr *arh, char **name, int baselen, int
*namelen, FILE *fp)
int len;
i = atol(&arh->ar_name[1]);
- len = strlen(&nametab[i]);
+ len = strlen(&nametab[i]) + 1;
if (len > *namelen) {
p -= (long)*name;
if ((*name = realloc(*name, baselen+len)) == NULL)
@@ -319,7 +319,7 @@ mmbr_name(struct ar_hdr *arh, char **name, int baselen, int
*namelen, FILE *fp)
p += (long)*name;
}
strlcpy(p, &nametab[i], len);
- p += len;
+ p += len - 1;
} else
#ifdef AR_EFMT1
/*
