The environment variable LESSBINFMT is not properly validated. If it is
set to "*", less will perform an out of boundary access.

This happens because strchr can be called with '\0' as second argument.
Such a call won't return NULL but the address of the '\0' in the string.
Therefore, the checkfmt function won't notice that the environment
variable is invalid.
--
The file line.c has the same issue but I'm not sure if '\0' is a valid
code in an ANSI sequence or not.

Patch from Tobias Stoeckmann
https://github.com/gdamore/less-fork/commit/c4eae4da7b51ec0125dcc40df2523c8c8e5387d2

Index: charset.c
===================================================================
RCS file: /cvs/src/usr.bin/less/charset.c,v
retrieving revision 1.19
diff -u -r1.19 charset.c
--- charset.c   17 Sep 2016 15:06:41 -0000      1.19
+++ charset.c   4 Jan 2017 14:48:46 -0000
@@ -37,7 +37,7 @@

        if (*s == '*') {                /* skip leading attribute if there */
                s++;
-               if (strchr("dksu", *s) == NULL) {
+               if (*s == '\0' || strchr("dksu", *s) == NULL) {
                        return (-1);
                }
                s++;
@@ -57,7 +57,8 @@
                if (seen) {
                        return (-1);    /* 2nd % format item! */
                }
-               while (strchr(" '+-0#", *s) != NULL) {  /* skip flags */
+               /* skip flags */
+               while (*s != '\0' && strchr(" '+-0#", *s) != NULL) {
                        s++;
                }
                while (isdigit(*s)) {                   /* skip width */
@@ -78,7 +79,7 @@
                                s++;
                }

-               if (strchr("cCdiouxX", *s) == NULL) {
+               if (*s == '\0' || strchr("cCdiouxX", *s) == NULL) {
                        /* bad or evil format character (%s, %n, etc.) */
                        return (-1);
                }

Reply via email to