From patchwork Fri Oct 18 21:21:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: DJ Delorie X-Patchwork-Id: 35149 Received: (qmail 117624 invoked by alias); 18 Oct 2019 21:21:53 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 117616 invoked by uid 89); 18 Oct 2019 21:21:53 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-17.6 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=corruption X-HELO: mx1.redhat.com Date: Fri, 18 Oct 2019 17:21:49 -0400 Message-Id: From: DJ Delorie To: libc-alpha@sourceware.org Subject: [patch] loadarchive: guard against locale-archive corruption From 1c9ebf0296d4dfe32dd856fc6d1932212a0b0175 Mon Sep 17 00:00:00 2001 From: DJ Delorie Date: Fri, 18 Oct 2019 17:15:52 -0400 Subject: loadarchive: guard against locale-archive corruption _nl_load_locale_from_archive() checks for a zero size, but divides by both (size) and (size-2). Extend the check to guard against a size of two or less. Tested by manually corrupting locale-archive and running a program that calls setlocale() with LOCPATH unset (size is typically very large). Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1470124 Reviewed-by: Carlos O'Donell diff --git a/locale/loadarchive.c b/locale/loadarchive.c index 981f68d410..b4a73d5c94 100644 --- a/locale/loadarchive.c +++ b/locale/loadarchive.c @@ -274,7 +274,7 @@ _nl_load_locale_from_archive (int category, const char **namep) + head->namehash_offset); /* Avoid division by 0 if the file is corrupted. */ - if (__glibc_unlikely (head->namehash_size == 0)) + if (__glibc_unlikely (head->namehash_size <= 2)) goto close_and_out; idx = hval % head->namehash_size;