Busybox segfaults when searching for a very short string in a file viewed with 'less'. I ran into this while doing the following: $ bb $ bbconfig | less / Segmentation fault Tested with version 1.1.1 and 1.1.2, with a hardened and a vanilla gcc-3.4.6 compiler, with -Os and -O2, with and without debug. [ebuild R ] sys-apps/busybox-1.1.2 +debug -floppyboot -make-symlinks -netboot -savedconfig +static 0 kB To reproduce in another way: $ man file >file $ busybox less file [type / and Enter] Segmentation fault (gdb) bt #0 0x081596bb in strlen () #1 0x08144cf0 in vfprintf () #2 0x0814f630 in vsnprintf () #3 0x08124967 in bb_xasprintf (format=0x81e9c6f "%.*s%s%.*s%s%s") at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/libbb/bb_asprintf.c:22 #4 0x08085b0a in regex_process () at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/miscutils/less.c:621 #5 0x08086126 in less_main (argc=137304832, argv=0x82f1e9c) at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/miscutils/less.c:1096 #6 0x08048464 in run_applet_by_name (name=0x238 <Address 0x238 out of bounds>, argc=2, argv=0xbff7c3f8) at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/applets/applets.c:456 #7 0x08048767 in busybox_main (argc=3, argv=0xbff7c3f4) at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/applets/busybox.c:146 #8 0x08048402 in run_applet_by_name (name=0xbff7d35b "busybox", argc=3, argv=0xbff7c3f4) at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/applets/applets.c:449 #9 0x0804865f in main (argc=137822590, argv=0xbff7c3f4) at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/applets/busybox.c:76 Searching for a single vowel (and some other single letters) will segfault too. The backtrace is different then: (gdb) bt #0 0x0814ed31 in fileno_unlocked () #1 0x0808478e in tless_getch () at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/miscutils/less.c:140 #2 0x08085ee1 in less_main (argc=137304832, argv=0x82f1e9c) at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/miscutils/less.c:1174 #3 0x08048464 in run_applet_by_name (name=0x238 <Address 0x238 out of bounds>, argc=2, argv=0xbf8673c8) at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/applets/applets.c:456 #4 0x08048767 in busybox_main (argc=3, argv=0xbf8673c4) at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/applets/busybox.c:146 #5 0x08048402 in run_applet_by_name (name=0xbf86935b "busybox", argc=3, argv=0xbf8673c4) at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/applets/applets.c:449 #6 0x0804865f in main (argc=198, argv=0xbf8673c4) at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/applets/busybox.c:76 When compiled with ssp, searching will sometimes smash the stack: $ echo 'This will get less to stacksmash. Search four times for a. That is: /a, /a, /a, /a. (Aaah!)' >file $ busybox less file [doing as it says] busybox: stack smashing attack in function regex_process() Aborted (gdb) bt #0 0xffffe410 in __kernel_vsyscall () #1 0x08139f65 in kill () #2 0x0813520e in __stack_smash_handler () #3 0x08085c34 in regex_process () at /var/tmp/portage/busybox-1.1.2/work/busybox-1.1.2/miscutils/less.c:709 #4 0x1b6d305b in ?? () #5 0x686d305b in ?? () #6 0x000a2921 in ?? () #7 0x082f1b00 in correction () #8 0x00000000 in ?? () Emerge --info: Gentoo Base System version 1.12.0_pre16 Portage 2.0.54 (default-linux/x86/2005.1, gcc-3.4.6-hardenednopie, glibc-2.3.6-r3, 2.6.16 i686) ================================================================= System uname: 2.6.16 i686 AMD Athlon(tm) XP 2800+ dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -Os -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon-xp -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks notitles sandbox sfperms strict test userpriv usersandbox" LINGUAS="en eo es nl" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" USE="x86 3dnow X aac aim alsa apm arts asf audiofile avi bash-completion berkdb bitmap-fonts bzip2 cdparanoia cdr crypt curl dga dio dri dv dvb eds emboss encode esd ethereal exif expat fam fbcon ffmpeg flac gd gdbm gif glut glx gpm gstreamer gtk gtk2 gtkhtml hardened icq idn imagemagick imap imlib isdnlog jabber jpeg jpeg2k kde kdeenablefinal lcms libg++ libwww lm_sensors lua mad mbox mbrola memlimit mikmod mime mmap mmx mng mp3 mpeg musepack nas ncurses nls nptl nsplugin ogg openal opengl oscar pam pcre pdflib pic png pppd python qt quicktime readline recode sasl scanner sdl shorten slang sndfile sox speex spell sqlite sse ssl svg svga tcltk test theora threads tidy tiff truetype truetype-fonts type1-fonts unicode usb vcd vorbis win32codecs wmf xface xine xml xml2 xmms xpm xsl xv xvid yahoo zlib video_cards_via video_cards_vesa video_cards_fbdev linguas_en linguas_eo linguas_es linguas_nl userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS
even just doing `echo | busybox less` and then hitting '/' makes it crash once i fix this upstream i'll fixup the ebuild
fixed in 1.2.0
