From 209ffbe50edd32847f0754c9b2564f7f99abd867 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= <flashcode@flashtux.org>
Date: Sun, 11 May 2025 17:10:29 +0200
Subject: [PATCH] core: fix buffer overflow in function eval_string_range_chars

---
 ChangeLog.adoc      | 1 +
 src/core/wee-eval.c | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/ChangeLog.adoc b/ChangeLog.adoc
index 1bae173e6..6e2361689 100644
--- a/ChangeLog.adoc
+++ b/ChangeLog.adoc
@@ -20,6 +20,7 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes]
 
 Bug fixes::
 
+  * core: fix buffer overflow in function eval_string_range_chars
   * core: fix buffer overflow in function eval_string_base_encode
   * core: fix integer overflow in function util_version_number
   * core: fix integer overflow in base32 encoding/decoding
diff --git a/src/core/wee-eval.c b/src/core/wee-eval.c
index c463baaac..295560017 100644
--- a/src/core/wee-eval.c
+++ b/src/core/wee-eval.c
@@ -299,6 +299,9 @@ eval_string_range_chars (const char *range)
     string = NULL;
     result = NULL;
 
+    if (!range || !range[0])
+        goto end;
+
     for (i = 0; eval_range_chars[i][0]; i++)
     {
         if (strcmp (range, eval_range_chars[i][0]) == 0)
@@ -308,11 +311,15 @@ eval_string_range_chars (const char *range)
     char1 = utf8_char_int (range);
 
     /* next char must be '-' */
+    if (!range[0])
+        goto end;
     ptr_char = utf8_next_char (range);
     if (!ptr_char || !ptr_char[0] || (ptr_char[0] != '-'))
         goto end;
 
     /* next char is the char2 */
+    if (!range[0])
+        goto end;
     ptr_char = utf8_next_char (ptr_char);
     if (!ptr_char || !ptr_char[0])
         goto end;