_nl_load_locale_from_archive() checks for a zero size, but divides by both (size) and (size-2). The check should be extended to guard against a size of two or less. Originally seen in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1470124
The master branch has been updated by DJ Delorie <dj@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ef21bd2d8c6805c0c186a01f7c5039189f51b8c4 commit ef21bd2d8c6805c0c186a01f7c5039189f51b8c4 Author: DJ Delorie <dj@redhat.com> Date: Fri Oct 18 17:15:52 2019 -0400 loadarchive: guard against locale-archive corruption (Bug #25115) _nl_load_locale_from_archive() checks for a zero size, but divides by both (size) and (size-2). Extend the check to guard against a size of two or less. Tested by manually corrupting locale-archive and running a program that calls setlocale() with LOCPATH unset (size is typically very large). Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Fix committed.