Bug#1069681: less does not escape special characters when outputting the filename

Thu, 02 May 2024 09:57:25 -0700 

Hi Salvatore,

On 5/2/24 10:45, Salvatore Bonaccorso wrote:
[...]


I did ponder about it and trying to add this fix as well for the
upcoming less DSA, but it won't go apply for the older releases and
the issue is compared minor enough.

I think I will go ahead with the two CVE fixes only.


Take a look at the attached patch. It applies and fixes the bookworm and 
bullseye versions. It seems the buster version is not vulnerable to this 
particular issue.



Milan
Date:   Tue Apr 23 10:54:50 2024 -0700
Author: Mark Nudelman <ma...@greenwoodsoftware.com>
Author: Milan Kupcevic <mi...@debian.org>
Origin: upstream, https://github.com/gwsw/less/commit/2a642a07d86f7f9484db18cd748bc521e71c997f
Bug-Debian: https://bugs.debian.org/1069681
Applied-Upstream: 654
Subject: Fix incorrect display when filename contains control chars.

---
 output.c | 12 ++++++++++--
 prompt.c | 17 ++++++++++++-----
 2 files changed, 22 insertions(+), 7 deletions(-)

--- a/output.c
+++ b/output.c
@@ -31,6 +31,7 @@
 extern int screen_trashed;
 extern int is_tty;
 extern int oldbot;
+extern int utf_mode;
 
 #if MSDOS_COMPILER==WIN32C || MSDOS_COMPILER==BORLANDC || MSDOS_COMPILER==DJGPPC
 extern int ctldisp;
@@ -562,6 +563,7 @@
 	PARG *parg;
 {
 	char *s;
+	char *es;
 	int col;
 
 	col = 0;
@@ -578,11 +580,17 @@
 			{
 			case 's':
 				s = parg->p_string;
+				es = s + strlen(s);
 				parg++;
 				while (*s != '\0')
 				{
-					putchr(*s++);
-					col++;
+					LWCHAR ch = step_char(&s, +1, es);
+					constant char *ps = utf_mode ? prutfchar(ch) : prchar(ch);
+					while (*ps != '\0')
+					{
+						putchr(*ps++);
+						col++;
+					}
 				}
 				break;
 			case 'd':
--- a/prompt.c
+++ b/prompt.c
@@ -29,6 +29,7 @@
 extern int sc_height;
 extern int jump_sline;
 extern int less_is_more;
+extern int utf_mode;
 extern IFILE curr_ifile;
 #if EDITOR
 extern char *editor;
@@ -83,13 +84,17 @@
 ap_str(s)
 	char *s;
 {
-	int len;
-
-	len = (int) strlen(s);
-	if (mp + len >= message + PROMPT_SIZE)
-		len = (int) (message + PROMPT_SIZE - mp - 1);
-	strncpy(mp, s, len);
-	mp += len;
+	char *es = s + strlen(s);
+	while (*s != '\0')
+	{
+	        LWCHAR ch = step_char(&s, +1, es);
+	        constant char *ps = utf_mode ? prutfchar(ch) : prchar(ch);
+	        size_t plen = strlen(ps);
+	        if (mp + plen >= message + PROMPT_SIZE)
+	                break;
+	        strcpy(mp, ps);
+	        mp += plen;
+	}
 	*mp = '\0';
 }
 






















					Reply via email to