Skip to content

Fix overflows with malformed lesskey lines#234

Merged
gwsw merged 1 commit into
gwsw:masterfrom
stoeckmann:lesskeys
Dec 25, 2021
Merged

Fix overflows with malformed lesskey lines#234
gwsw merged 1 commit into
gwsw:masterfrom
stoeckmann:lesskeys

Conversation

@stoeckmann

@stoeckmann stoeckmann commented Dec 20, 2021

Copy link
Copy Markdown
Contributor

If lines are malformed it is possible to trigger out of boundary
read accesses during parsing.

Carefully handle the pointer increments to not move behind the
terminating nul byte.

How to reproduce:

python -c 'print(1022*" "+"\")' > lesskey-1.txt
python -c 'print(1022*" "+"^")' > lesskey-2.txt
python -c 'print(1021*" "+"\k")' > lesskey-3.txt

Open these files with lesskey, compiled with -fsanitize=address.

@stoeckmann
Fix overflows with malformed lesskey lines
bea0a3a 
If lines are malformed it is possible to trigger out of boundary
read accesses during parsing.

Carefully handle the pointer increments to not move behind the
terminating nul byte.

How to reproduce:

python -c 'print(1022*" "+"\\")' > lesskey-1.txt
python -c 'print(1022*" "+"^")' > lesskey-2.txt
python -c 'print(1021*" "+"\\k")' > lesskey-3.txt

Open these files with lesskey, compiled with -fsanitize=address.
@stoeckmann

stoeckmann commented Dec 20, 2021

Copy link
Copy Markdown
Contributor Author

I did not fuzz possible lesskey files so I do not know if this covers all cases. The last adjustment is probably not necessary -- but I added it just in case.

For style reasons it might make sense to modify all *pp = p+1 lines in that function.

@gwsw gwsw merged commit fc0ea4f into gwsw:master Dec 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stoeckmann @gwsw