Created attachment 12616 [details] PoC I have found a bug of attempting free on address which was not malloc() in function _bfd_coff_free_symbols by fuzzing, which is located in binutils-2.34/bfd/coffgen.c:1782. This bug is triggered as $objdump -d PoC We compile GNU Binutils-2.34 with AddressSanitizer in 32-bits on Ubuntu 16.04. The information are printed as: ./id:000047,sig:06,src:001766,op:havoc,rep:4: file format pei-i386 Disassembly of section .text: 00000000 <.text>: 0: ff 25 00 00 00 00 jmp *0x0 6: 90 nop 7: 90 nop ================================================================= ==20459==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0xf3803b60 in thread T0 #0 0xf7275a84 in free (/usr/lib32/libasan.so.2+0x96a84) #1 0x867669f in _bfd_coff_free_symbols /home/ubuntu/yuetai/asan_programs/binutils-2.34/bfd/coffgen.c:1782 #2 0x867669f in _bfd_coff_close_and_cleanup /home/ubuntu/yuetai/asan_programs/binutils-2.34/bfd/coffgen.c:3180 #3 0x82b5784 in bfd_close_all_done /home/ubuntu/yuetai/asan_programs/binutils-2.34/bfd/opncls.c:789 #4 0x8059628 in display_file objdump.c:5016 #5 0x8059628 in main objdump.c:5349 #6 0xf703e636 in __libc_start_main (/lib32/libc.so.6+0x18636) #7 0x805ced5 (/home/ubuntu/yuetai/asan_target/binutils-2-34/objdump+0x805ced5) 0xf3803b60 is located 736 bytes inside of 1745-byte region [0xf3803880,0xf3803f51) allocated by thread T0 here: #0 0xf7275f8e in calloc (/usr/lib32/libasan.so.2+0x96f8e) #1 0x82a60ae in bfd_malloc /home/ubuntu/yuetai/asan_programs/binutils-2.34/bfd/libbfd.c:275 #2 0x82a60ae in bfd_zmalloc /home/ubuntu/yuetai/asan_programs/binutils-2.34/bfd/libbfd.c:360 #3 0x893dd8b (/home/ubuntu/yuetai/asan_target/binutils-2-34/objdump+0x893dd8b) SUMMARY: AddressSanitizer: bad-free ??:0 free ==20459==ABORTING
Fixed for 2.35 *** This bug has been marked as a duplicate of bug 25447 ***