Package: less
Version: 551-2
Severity: normal
Tags: patch upstream
The code that parses the number in the command buffer does not check
integer overflow.
I'm attaching a patch, which saturates the value to INT_MAX, since
there are conversions to int in some parts of the code.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.9.0-4-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages less depends on:
ii libc6 2.31-5
ii libtinfo6 6.2+20201114-1
less recommends no packages.
less suggests no packages.
-- no debconf information
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Description: Avoid an integer overflow on the number in the command buffer.
The value is saturated to INT_MAX.
Author: Vincent Lefevre <vinc...@vinc17.net>
Last-Update: 2020-12-15
diff --git a/cmdbuf.c b/cmdbuf.c
index eb1f23e..93eec2b 100644
--- a/cmdbuf.c
+++ b/cmdbuf.c
@@ -1330,6 +1330,7 @@ cmd_char(c)
/*
* Return the number currently in the command buffer.
+ * Since this value may be converted to int, it is saturated to INT_MAX.
*/
public LINENUM
cmd_int(frac)
@@ -1340,7 +1341,7 @@ cmd_int(frac)
int err;
for (p = cmdbuf; *p >= '0' && *p <= '9'; p++)
- n = (n * 10) + (*p - '0');
+ n = n > (INT_MAX - (*p - '0')) / 10 ? INT_MAX : (n * 10) + (*p
- '0');
*frac = 0;
if (*p++ == '.')
{
