aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDJ Delorie <dj@redhat.com>2019-10-18 17:15:52 -0400
committerDJ Delorie <dj@redhat.com>2019-10-18 20:40:54 -0400
commitef21bd2d8c6805c0c186a01f7c5039189f51b8c4 (patch)
treee5b1cd6c840e63bccd13bfbe05e7219aefc31f7a
parenta807613bcff42dfacfe0961fa60e95c988ab6e92 (diff)
downloadglibc-ef21bd2d8c6805c0c186a01f7c5039189f51b8c4.zip
glibc-ef21bd2d8c6805c0c186a01f7c5039189f51b8c4.tar.gz
glibc-ef21bd2d8c6805c0c186a01f7c5039189f51b8c4.tar.bz2
loadarchive: guard against locale-archive corruption (Bug #25115)
_nl_load_locale_from_archive() checks for a zero size, but divides by both (size) and (size-2). Extend the check to guard against a size of two or less. Tested by manually corrupting locale-archive and running a program that calls setlocale() with LOCPATH unset (size is typically very large). Reviewed-by: Carlos O'Donell <carlos@redhat.com>
-rw-r--r--locale/loadarchive.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/locale/loadarchive.c b/locale/loadarchive.c
index 981f68d..b4a73d5 100644
--- a/locale/loadarchive.c
+++ b/locale/loadarchive.c
@@ -274,7 +274,7 @@ _nl_load_locale_from_archive (int category, const char **namep)
+ head->namehash_offset);
/* Avoid division by 0 if the file is corrupted. */
- if (__glibc_unlikely (head->namehash_size == 0))
+ if (__glibc_unlikely (head->namehash_size <= 2))
goto close_and_out;
idx = hval % head->namehash_size;