On 29/07/17(Sat) 21:56, Matthew Martin wrote: > On Sat, Jul 29, 2017 at 10:43:23AM +0100, Stuart Henderson wrote: > > I was just running nm over all of /usr/lib on a system with C in malloc > > flags and ran into this. > > > > $ MALLOC_OPTIONS=C nm -s libc.so.89.3.a > > The bug seems to be in mmbr_name. First add one to len so there's space > for the null with strlcpy. Second when advancing p to the end of the > string, subtract one from len so that p points to the null not past the > null. I believe the latter fixes the issue as the later *p = '\0'; wrote > past the end of the allocation.
I agree with your analyse and your diff fixes the issue, ok mpi@ > diff --git nm.c nm.c > index 5d2a1bfeb61..085c4152fc6 100644 > --- nm.c > +++ nm.c > @@ -310,7 +310,7 @@ mmbr_name(struct ar_hdr *arh, char **name, int baselen, > int *namelen, FILE *fp) > int len; > > i = atol(&arh->ar_name[1]); > - len = strlen(&nametab[i]); > + len = strlen(&nametab[i]) + 1; > if (len > *namelen) { > p -= (long)*name; > if ((*name = realloc(*name, baselen+len)) == NULL) > @@ -319,7 +319,7 @@ mmbr_name(struct ar_hdr *arh, char **name, int baselen, > int *namelen, FILE *fp) > p += (long)*name; > } > strlcpy(p, &nametab[i], len); > - p += len; > + p += len - 1; > } else > #ifdef AR_EFMT1 > /* >