less invalid memory access fixed (CVE-2014-9488)

[Hanno Böck <hanno () hboeck de>]

I stumbled over an invalid memory access in less a while ago:
https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html

While I never got a reply from the less developers it seems with
version 475 they finally fixed it. They don't have any release
announcements or public repositories, but there is a mentioning in the
file version.c probably related:
+v475  3/2/15    Fix possible buffer overrun with invalid UTF-8; 
+                fix bug when compiled with no regex; fix non-match
  search.

This is likely the change that fixes this bug (but I haven't verified
that, there are multiple things changed between 474 and 475):

--- less-474/line.c     2015-01-31 00:20:29.000000000 +0100
+++ less-475/line.c     2015-03-05 20:07:08.000000000 +0100
@@ -807,7 +807,7 @@
                        mbc_buf[mbc_buf_index++] = c;
                        if (mbc_buf_index < mbc_buf_len)
                                return (0);
-                       if (is_utf8_well_formed(mbc_buf))
+                       if (is_utf8_well_formed(mbc_buf,
mbc_buf_index)) r = do_append(get_wchar(mbc_buf), mbc_buf, mbc_pos);
                        else
                                /* Complete, but not shortest form,
                                sequence. */


If mitre and osvdb maintainers read this: please update the entries in
your databases accordingly.

I'll also update the blog post / advisory.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature