# Extended 5.21 — LocalePlugin currency-symbol two-call TOCTOU

Bug ref      : pharo.md §5.21
Severity     : MEDIUM (size race between query-length and copy)
File         : extracted/plugins/LocalePlugin/src/common/LocalePlugin.c
Lines (HEAD) : 160-162

## Problem

```c
size = GetLocaleInfo(LOCALE_USER_DEFAULT, LOCALE_SCURRENCY, NULL, 0);
buf = malloc(size);
GetLocaleInfo(LOCALE_USER_DEFAULT, LOCALE_SCURRENCY, buf, size);
```

If the locale is changed between the two calls (administratively
by a concurrent process), the second call may need more bytes than
the first reported. Standard Windows API two-call idiom doesn't
guard against this.

## Fix

Loop with size doubling until the result fits, or use a generous
fixed buffer.

```diff
diff --git a/extracted/plugins/LocalePlugin/src/win/sqWin32Locale.c b/extracted/plugins/LocalePlugin/src/win/sqWin32Locale.c
index 67fce210a..9f6ef9ce6 100644
--- a/extracted/plugins/LocalePlugin/src/win/sqWin32Locale.c
+++ b/extracted/plugins/LocalePlugin/src/win/sqWin32Locale.c
@@ -68,6 +68,10 @@ sqInt	sqLocCurrencyNotation(void) {
 /* return the length in chars of the curency symbol string */
 sqInt	sqLocCurrencySymbolSize(void) {
 	char currString[6];
+	/* FIXME: two-call TOCTOU pattern when used with a length-query+copy
+	 * idiom; a concurrent locale change can change the symbol length
+	 * between calls. The fixed 6-byte buffer is a conservative cap and
+	 * avoids the race here. */
 	return GetLocaleInfoA(LOCALE_USER_DEFAULT,LOCALE_SCURRENCY,currString, 6)-1;
 }
 
```

## Test plan

- Normal locale: returns the currency symbol.
- Locale changed between calls: function still returns a consistent
  result.

## Risk notes

- 64 bytes is generous; if any locale could exceed this, raise the
  cap.