Ubuntu
less package

less 458 crashes if search regex has many groups

Bug #1521043 reported by Richard Hansen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
less (Debian)
Fix Released
Unknown
less (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

less 458 crashes if there are enough capture groups in the regular expression used for search:

    newline=$(printf \\nx); newline=${newline%x}
    echo x | LESS="+g/(((((x)))))${newline}" less

On amd64, the above produces a segfault:

    Segmentation fault (core dumped)

On i386, the above triggers an assert:

    *** Error in `less': double free or corruption (fasttop): 0x0887f9e8 ***
    Aborted

See original description
Tags: patch trusty wily
Richard Hansen (rhansen)
summary: - less crashes if regex has many groups
+ less crashes if search regex has many groups
description: updated
summary: - less crashes if search regex has many groups
+ less 458 crashes if search regex has many groups
tags: added: trusty wily
description: updated
Bug Watch Updater (bug-watch-updater)
Changed in less (Debian):
status: Unknown → Incomplete
Revision history for this message
Richard Hansen (rhansen) wrote :

This is an upstream less bug that was fixed in version 481. Attached is a debdiff that cherry-picks the fix for this bug.

I have uploaded a fixed version of less to my PPA (for trusty (14.04) and wily (15.10)). See:
https://launchpad.net/~a7x/+archive/ubuntu/bug1521043

tags: added: patch
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Brian Murray (brian-murray)
Changed in less (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Richard Hansen (rhansen) wrote :

I renamed my account, so the PPA with the fixed version is now at:
https://launchpad.net/~rhansen/+archive/ubuntu/bug1521043

Revision history for this message
Michael Terry (mterry) wrote :

Thank you so much for the patch! I've uploaded it with minor modifications to xenial. Specifically, adjusted changelog (version simplification, wily->xenial, named patch file) and ran update-maintainer.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package less - 458-3ubuntu1

---------------
less (458-3ubuntu1) xenial; urgency=medium

  * d/p/03-707824-fix_double_free_with_multiple_regex_groups.patch:
    - Cherry-pick upstream fix for double free in regular expression
      code. (Closes: #707824; LP: #1521043)

 -- Richard Hansen <email address hidden> Sun, 29 Nov 2015 22:40:34 -0500

Changed in less (Ubuntu):
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in less (Debian):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.