From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0 Description of problem: Scrolling of hdlist2 causes less to segfault. Version-Release number of selected component (if applicable): less-378-11 How reproducible: Always Steps to Reproduce: 1. Mount any RHEL3 CD1 on /mnt/cdrom and do 2. less -f /mnt/cdrom/RedHat/base/hdlist2 3. Press and hold spacebar. Actual Results: It will cause a segmentation fault. Expected Results: Scrolling till the end of file. Additional info: I think it is the failed assertion in first line of buffering_multi.
Why are you trying to run less on a binary file?
Because I like it ;-) It may be a security problem, because after some digging with debugger it looks like a buffer overflow. Vulnerable pager is a very, very bad thing. I am sorry for not giving it SECURITY flag yesterday. Giving it now. Please, fix it. Hint1: buffer overflows in a UTF-8 locale on a line of 0x81 bytes longer than 1028. Hint2: overflow seems to overwrite MULBUF* mp in multi.c
Update: in en_US.UTF-8 locale Hint1 requires more than 1035 bytes.
Created attachment 110010 [details] Binary file consists of 1036 '\0x81' chars - testcase for less segfault
This issue could be dangerous. Ideally this issue would be best fixed in the next round of quarterly updates.
Created attachment 110046 [details] Expand charset[] buffer with expanding of other buffers Found the error. We are expanding linebuf[] and attr[] buffers in expand_linebuf(), line.c:90, but forgetting to expand charset[] buffer.
Comment on attachment 110046 [details] Expand charset[] buffer with expanding of other buffers The patch is not perfect. calloc for charset should allocate sizeof(CHARSET) blocks and returned pointer sould be converted to (CHARSET*)
Created attachment 110048 [details] Corrected patch for expading charset[] buffer with expanding of other buffers Corrected types in calloc line. Now it works.
Victor, thanks for the patch. The fix is confirmed and patch is now added to CVS.
Thanks for a job well done.
I've done some investigating on this issue. This problem is caused by a patch we apply to the RHEL3 less. It does not affect the original version, or any upstream versions I've tried.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-068.html