On Wed, Jan 04, 2017 at 03:55:20PM +0100, Julien Ramseier wrote:
> The environment variable LESSBINFMT is not properly validated. If it is
> set to "*", less will perform an out of boundary access.
>
> This happens because strchr can be called with '\0' as second argument.
> Such a call won't return NULL but the address of the '\0' in the string.
> Therefore, the checkfmt function won't notice that the environment
> variable is invalid.
> --
> The file line.c has the same issue but I'm not sure if '\0' is a valid
> code in an ANSI sequence or not.
>
> Patch from Tobias Stoeckmann
> https://github.com/gdamore/less-fork/commit/c4eae4da7b51ec0125dcc40df2523c8c8e5387d2
ok tb
>
> Index: charset.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/less/charset.c,v
> retrieving revision 1.19
> diff -u -r1.19 charset.c
> --- charset.c 17 Sep 2016 15:06:41 -0000 1.19
> +++ charset.c 4 Jan 2017 14:48:46 -0000
> @@ -37,7 +37,7 @@
>
> if (*s == '*') { /* skip leading attribute if there */
> s++;
> - if (strchr("dksu", *s) == NULL) {
> + if (*s == '\0' || strchr("dksu", *s) == NULL) {
> return (-1);
> }
> s++;
> @@ -57,7 +57,8 @@
> if (seen) {
> return (-1); /* 2nd % format item! */
> }
> - while (strchr(" '+-0#", *s) != NULL) { /* skip flags */
> + /* skip flags */
> + while (*s != '\0' && strchr(" '+-0#", *s) != NULL) {
> s++;
> }
> while (isdigit(*s)) { /* skip width */
> @@ -78,7 +79,7 @@
> s++;
> }
>
> - if (strchr("cCdiouxX", *s) == NULL) {
> + if (*s == '\0' || strchr("cCdiouxX", *s) == NULL) {
> /* bad or evil format character (%s, %n, etc.) */
> return (-1);
> }
>
