Hi,
Here's a patch which fixes a potential crash in nm. The crash file [0] was
found thanks to zzuf [1]. While fixing the bug, I've also found 2
free(3)'s NULL pointer.
Best regards,
Charles Longeau
[0]
[1] http://sam.zoy.org/zzuf/
Index: usr.bin/nm/elf.c
RCS file: /cvs/src/usr.bin/nm/elf.c,v
retrieving revision 1.14
diff -u -p -r1.14 elf.c
usr.bin/nm/elf.c30 Sep 2006 14:34:13 -00001.14
usr.bin/nm/elf.c6 Feb 2007 21:45:45 -0000
@@ -475,7 +475,6 @@ elf_symloadx(const char *name, FILE *fp,
warn("%s: malloc names", name);
if (stab)
MUNMAP(stab, *pstabsize);
-free(*pnames);
free(shstr);
return (1);
}
@@ -485,7 +484,6 @@ elf_symloadx(const char *name, FILE *fp,
MUNMAP(stab, *pstabsize);
free(shstr);
free(*pnames);
-free(*psnames);
return (1);
}
@@ -508,7 +506,10 @@ elf_symloadx(const char *name, FILE *fp,
elf2nlist(&sbuf, eh, shdr, shstr, np);
np->n_value = sbuf.st_value;
-np->n_un.n_strx = sbuf.st_name;
+if (sbuf.st_name *pstabsize)
+warnx("%s: corrupted name offset", name);
+else
+np->n_un.n_strx = sbuf.st_name;
np++;
}
*pnrawnames = np - *pnames;