In init_sam_from_buffer_v0 and init_sam_from_buffer_v1 (or just init_sam_from_buffer in older versions), if the call to tdb_unpack() fails for some reason, control passes to the label "done"; the code then frees a number of pointers which may never have been initialized. This can cause the process in question to crash; it certainly has on Linux (glibc's malloc/free doesn't do much in the way of sanity checks, I believe). The fix is simple: initialize the various pointers to NULL, so that in case of unpack failure the free is a no-op, as was apparently intended. One thing that can trigger this bug is trying to downgrade a system from 3.0.4 to 3.0.2a; any records that have been written in the _v1 format will have a time value (when the password must change) where the old unpacker expects to find the length of the username.
fixed. Just to note though that downgrading is not supported for tdb's.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.