On 29/07/17(Sat) 21:56, Matthew Martin wrote:
> On Sat, Jul 29, 2017 at 10:43:23AM +0100, Stuart Henderson wrote:
> > I was just running nm over all of /usr/lib on a system with C in malloc
> > flags and ran into this.
> >
> > $ MALLOC_OPTIONS=C nm -s libc.so.89.3.a
>
> The bug seems to be in mmbr_name. First add one to len so there's space
> for the null with strlcpy. Second when advancing p to the end of the
> string, subtract one from len so that p points to the null not past the
> null. I believe the latter fixes the issue as the later *p = '\0'; wrote
> past the end of the allocation.
I agree with your analyse and your diff fixes the issue, ok mpi@
> diff --git nm.c nm.c
> index 5d2a1bfeb61..085c4152fc6 100644
> --- nm.c
> +++ nm.c
> @@ -310,7 +310,7 @@ mmbr_name(struct ar_hdr *arh, char **name, int baselen,
> int *namelen, FILE *fp)
> int len;
>
> i = atol(&arh->ar_name[1]);
> - len = strlen(&nametab[i]);
> + len = strlen(&nametab[i]) + 1;
> if (len > *namelen) {
> p -= (long)*name;
> if ((*name = realloc(*name, baselen+len)) == NULL)
> @@ -319,7 +319,7 @@ mmbr_name(struct ar_hdr *arh, char **name, int baselen,
> int *namelen, FILE *fp)
> p += (long)*name;
> }
> strlcpy(p, &nametab[i], len);
> - p += len;
> + p += len - 1;
> } else
> #ifdef AR_EFMT1
> /*
>
