There is unquestionably a bug in the allocation in int parse_elf_to_payload that is resulting in a trashed malloc arena.

I'm not quite sure I understand it yet but this happens: I have a filo payload which has 47516 bytes of data in two segments. The code parse_elf_to_payload computes the amount of memory to allocate and computes 47628. But the code then goes on to overwrite 47676 bytes of data. There is some simple calculation going wrong, starting me in the face ... I don't see it yet, but one of you might.

The result is this:

*** glibc detected *** ./cbfs/cbfstool: malloc: top chunk is corrupt: 0x0000000000d4fd60 ***

I have fixed this for now: I allocate 1048576 more bytes then needed :-)

ron