If an ELF binary executable has a DT_RPATH that ends in a directory
that requires no dynamic token expansion, and does not have
a trailing '/', and is a directory not seen before,
then fillin_rpath() from glibc-2.2/elf/dl-load.c reads beyond the end
of a block that was allocated by malloc().
Subroutine decompose_rpath() calls at line 531:
copy = expand_dynamic_string_token (l, rpath);
and at line 548:
fillin_rpath (copy, result, ":", 0, what, where);
Then fillin_rpath() adds a trailing slash at line 388:
cp[len++] = '/';
and reads beyond the end at line 422:
memcpy ((char *) dirp->dirname, cp, len + 1);
One fix is to allocate 2 extra bytes (instead of just 1)
in expand_dynamic_string_token(), and set the last one to '\0'.
Fixed in glibc-2.2-9