Bug 145527 - CAN-2005-0086 less crashes on scrolling of binary files
CAN-2005-0086 less crashes on scrolling of binary files
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: less (Show other bugs)
3.0
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Jindrich Novy
impact=important,public=20050119
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-19 07:15 EST by Victor Ashik
Modified: 2013-07-02 19:05 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-26 10:40:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Binary file consists of 1036 '\0x81' chars - testcase for less segfault (1.01 KB, application/octet-stream)
2005-01-20 09:14 EST, Victor Ashik
no flags Details
Expand charset[] buffer with expanding of other buffers (962 bytes, patch)
2005-01-21 06:39 EST, Victor Ashik
no flags Details | Diff
Corrected patch for expading charset[] buffer with expanding of other buffers (971 bytes, patch)
2005-01-21 07:52 EST, Victor Ashik
no flags Details | Diff

  None (edit)
Description Victor Ashik 2005-01-19 07:15:08 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
Scrolling of hdlist2 causes less to segfault.

Version-Release number of selected component (if applicable):
less-378-11

How reproducible:
Always

Steps to Reproduce:
1. Mount any RHEL3 CD1 on /mnt/cdrom and do
2. less -f /mnt/cdrom/RedHat/base/hdlist2
3. Press and hold spacebar.

Actual Results:  It will cause a segmentation fault.


Expected Results:  Scrolling till the end of file.

Additional info:

I think it is the failed assertion in first line of buffering_multi.
Comment 1 Suzanne Hillman 2005-01-19 17:34:38 EST
Why are you trying to run less on a binary file?
Comment 2 Victor Ashik 2005-01-20 06:24:46 EST
Because I like it ;-)

It may be a security problem, because after some digging with debugger
it looks like a buffer overflow.

Vulnerable pager is a very, very bad thing.
I am sorry for not giving it SECURITY flag yesterday. Giving it now.
Please, fix it.

Hint1: buffer overflows in a UTF-8 locale on a line of 0x81 bytes
longer than 1028.
Hint2: overflow seems to overwrite MULBUF* mp in multi.c
Comment 3 Victor Ashik 2005-01-20 09:12:38 EST
Update: in en_US.UTF-8 locale Hint1 requires more than 1035 bytes.
Comment 4 Victor Ashik 2005-01-20 09:14:26 EST
Created attachment 110010 [details]
Binary file consists of 1036 '\0x81' chars - testcase for less segfault
Comment 6 Josh Bressers 2005-01-20 09:40:20 EST
This issue could be dangerous.  Ideally this issue would be best fixed in the
next round of quarterly updates.
Comment 8 Victor Ashik 2005-01-21 06:39:58 EST
Created attachment 110046 [details]
Expand charset[] buffer with expanding of other buffers

Found the error. We are expanding linebuf[] and attr[] buffers in
expand_linebuf(), line.c:90, but forgetting to expand charset[] buffer.
Comment 9 Victor Ashik 2005-01-21 07:49:46 EST
Comment on attachment 110046 [details]
Expand charset[] buffer with expanding of other buffers

The patch is not perfect.

calloc for charset should allocate sizeof(CHARSET) blocks and returned pointer
sould be converted to (CHARSET*)
Comment 10 Victor Ashik 2005-01-21 07:52:13 EST
Created attachment 110048 [details]
Corrected patch for expading charset[] buffer with expanding of other buffers

Corrected types in calloc line. Now it works.
Comment 11 Jindrich Novy 2005-01-24 05:18:51 EST
Victor, thanks for the patch. The fix is confirmed and patch is now added to CVS.
Comment 12 Victor Ashik 2005-01-24 05:24:29 EST
Thanks for a job well done.
Comment 15 Josh Bressers 2005-01-25 09:27:50 EST
I've done some investigating on this issue.  This problem is caused by
a patch we apply to the RHEL3 less.  It does not affect the original
version, or any upstream versions I've tried.
Comment 16 Josh Bressers 2005-01-26 10:40:20 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-068.html

Note You need to log in before you can comment on or make changes to this bug.