Bug 25115 - Guard against divide by zero with corrupted locale archives
Summary: Guard against divide by zero with corrupted locale archives
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: locale (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: 2.31
Assignee: dj@redhat.com
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-19 00:36 UTC by dj@redhat.com
Modified: 2020-07-08 16:46 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description dj@redhat.com 2019-10-19 00:36:35 UTC 
_nl_load_locale_from_archive() checks for a zero size, but
divides by both (size) and (size-2).  The check should be extended to guard against a size of two or less.

Originally seen in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1470124
Comment 1 Sourceware Commits 2019-10-19 00:42:19 UTC 
The master branch has been updated by DJ Delorie <dj@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ef21bd2d8c6805c0c186a01f7c5039189f51b8c4

commit ef21bd2d8c6805c0c186a01f7c5039189f51b8c4
Author: DJ Delorie <dj@redhat.com>
Date:   Fri Oct 18 17:15:52 2019 -0400

    loadarchive: guard against locale-archive corruption (Bug #25115)
    
    _nl_load_locale_from_archive() checks for a zero size, but
    divides by both (size) and (size-2).  Extend the check to
    guard against a size of two or less.
    
    Tested by manually corrupting locale-archive and running a program
    that calls setlocale() with LOCPATH unset (size is typically very
    large).
    
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Comment 2 dj@redhat.com 2019-10-19 00:46:54 UTC 
Fix committed.