The environment variable LESSBINFMT is not properly validated. If it is set to "*", less will perform an out of boundary access.
This happens because strchr can be called with '\0' as second argument. Such a call won't return NULL but the address of the '\0' in the string. Therefore, the checkfmt function won't notice that the environment variable is invalid. -- The file line.c has the same issue but I'm not sure if '\0' is a valid code in an ANSI sequence or not. Patch from Tobias Stoeckmann https://github.com/gdamore/less-fork/commit/c4eae4da7b51ec0125dcc40df2523c8c8e5387d2 Index: charset.c =================================================================== RCS file: /cvs/src/usr.bin/less/charset.c,v retrieving revision 1.19 diff -u -r1.19 charset.c --- charset.c 17 Sep 2016 15:06:41 -0000 1.19 +++ charset.c 4 Jan 2017 14:48:46 -0000 @@ -37,7 +37,7 @@ if (*s == '*') { /* skip leading attribute if there */ s++; - if (strchr("dksu", *s) == NULL) { + if (*s == '\0' || strchr("dksu", *s) == NULL) { return (-1); } s++; @@ -57,7 +57,8 @@ if (seen) { return (-1); /* 2nd % format item! */ } - while (strchr(" '+-0#", *s) != NULL) { /* skip flags */ + /* skip flags */ + while (*s != '\0' && strchr(" '+-0#", *s) != NULL) { s++; } while (isdigit(*s)) { /* skip width */ @@ -78,7 +79,7 @@ s++; } - if (strchr("cCdiouxX", *s) == NULL) { + if (*s == '\0' || strchr("cCdiouxX", *s) == NULL) { /* bad or evil format character (%s, %n, etc.) */ return (-1); }