diff options
author | DJ Delorie <dj@redhat.com> | 2019-10-18 17:15:52 -0400 |
---|---|---|
committer | DJ Delorie <dj@redhat.com> | 2019-10-18 20:40:54 -0400 |
commit | ef21bd2d8c6805c0c186a01f7c5039189f51b8c4 (patch) | |
tree | e5b1cd6c840e63bccd13bfbe05e7219aefc31f7a | |
parent | a807613bcff42dfacfe0961fa60e95c988ab6e92 (diff) | |
download | glibc-ef21bd2d8c6805c0c186a01f7c5039189f51b8c4.zip glibc-ef21bd2d8c6805c0c186a01f7c5039189f51b8c4.tar.gz glibc-ef21bd2d8c6805c0c186a01f7c5039189f51b8c4.tar.bz2 |
loadarchive: guard against locale-archive corruption (Bug #25115)
_nl_load_locale_from_archive() checks for a zero size, but
divides by both (size) and (size-2). Extend the check to
guard against a size of two or less.
Tested by manually corrupting locale-archive and running a program
that calls setlocale() with LOCPATH unset (size is typically very
large).
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
-rw-r--r-- | locale/loadarchive.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/locale/loadarchive.c b/locale/loadarchive.c index 981f68d..b4a73d5 100644 --- a/locale/loadarchive.c +++ b/locale/loadarchive.c @@ -274,7 +274,7 @@ _nl_load_locale_from_archive (int category, const char **namep) + head->namehash_offset); /* Avoid division by 0 if the file is corrupted. */ - if (__glibc_unlikely (head->namehash_size == 0)) + if (__glibc_unlikely (head->namehash_size <= 2)) goto close_and_out; idx = hval % head->namehash_size; |