From ef21bd2d8c6805c0c186a01f7c5039189f51b8c4 Mon Sep 17 00:00:00 2001 From: DJ Delorie Date: Fri, 18 Oct 2019 17:15:52 -0400 Subject: loadarchive: guard against locale-archive corruption (Bug #25115) _nl_load_locale_from_archive() checks for a zero size, but divides by both (size) and (size-2). Extend the check to guard against a size of two or less. Tested by manually corrupting locale-archive and running a program that calls setlocale() with LOCPATH unset (size is typically very large). Reviewed-by: Carlos O'Donell --- locale/loadarchive.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locale/loadarchive.c b/locale/loadarchive.c index 981f68d410..b4a73d5c94 100644 --- a/locale/loadarchive.c +++ b/locale/loadarchive.c @@ -274,7 +274,7 @@ _nl_load_locale_from_archive (int category, const char **namep) + head->namehash_offset); /* Avoid division by 0 if the file is corrupted. */ - if (__glibc_unlikely (head->namehash_size == 0)) + if (__glibc_unlikely (head->namehash_size <= 2)) goto close_and_out; idx = hval % head->namehash_size; -- cgit v1.2.3