less/less-471-out_of_bounds_read.patch

diff -up ./less-471/charset.c.utf8 ./less-471/charset.c
--- ./less-471/charset.c.utf8	2014-12-14 19:19:11.000000000 +0100
+++ ./less-471/charset.c	2015-06-01 08:59:38.140122262 +0200
@@ -506,8 +506,9 @@ utf_len(ch)
  * Does the parameter point to the lead byte of a well-formed UTF-8 character?
  */
 	public int
-is_utf8_well_formed(s)
+is_utf8_well_formed(s, slen)
 	unsigned char *s;
+	int slen;
 {
 	int i;
 	int len;
@@ -516,6 +517,8 @@ is_utf8_well_formed(s)
 		return (0);
 
 	len = utf_len((char) s[0]);
+	if (len > slen)
+		return (0);
 	if (len == 1)
 		return (1);
 	if (len == 2)
@@ -547,7 +550,7 @@ utf_bin_count(data, len)
 	int bin_count = 0;
 	while (len > 0)
 	{
-		if (is_utf8_well_formed(data))
+		if (is_utf8_well_formed(data, len))
 		{
 			int clen = utf_len(*data);
 			data += clen;
diff -up ./less-471/cmdbuf.c.utf8 ./less-471/cmdbuf.c
--- ./less-471/cmdbuf.c.utf8	2014-12-14 19:19:11.000000000 +0100
+++ ./less-471/cmdbuf.c	2015-06-01 09:00:43.247776312 +0200
@@ -1264,7 +1264,7 @@ cmd_char(c)
 			cmd_mbc_buf[cmd_mbc_buf_index++] = c;
 			if (cmd_mbc_buf_index < cmd_mbc_buf_len)
 				return (CC_OK);
-			if (!is_utf8_well_formed(cmd_mbc_buf))
+			if (!is_utf8_well_formed(cmd_mbc_buf, cmd_mbc_buf_index))
 			{
 				/* complete, but not well formed (non-shortest form), sequence */
 				cmd_mbc_buf_len = 0;
diff -up ./less-471/line.c.utf8 ./less-471/line.c
--- ./less-471/line.c.utf8	2015-06-01 08:57:28.000000000 +0200
+++ ./less-471/line.c	2015-06-01 09:00:01.061352521 +0200
@@ -807,7 +807,7 @@ pappend(c, pos)
 			mbc_buf[mbc_buf_index++] = c;
 			if (mbc_buf_index < mbc_buf_len)
 				return (0);
-			if (is_utf8_well_formed(mbc_buf))
+			if (is_utf8_well_formed(mbc_buf, mbc_buf_index))
 				r = do_append(get_wchar(mbc_buf), mbc_buf, mbc_pos);
 			else
 				/* Complete, but not shortest form, sequence. */