1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-05 17:23:15 +02:00

core: fix possible buffer overflow in list of commands displayed by /help (issue #2330)

Fix: c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn security vulnerability

Found by OrbisAI Security
This commit is contained in:
Sébastien Helleu
2026-07-05 10:22:59 +02:00
parent aa77bff164
commit 20f5ecc6dd
2 changed files with 14 additions and 11 deletions
+1
View File
@@ -32,6 +32,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
- core: fix option weechat.look.color_real_white not applied when color is "white" on 16+ colors terminals ([#1742](https://github.com/weechat/weechat/issues/1742))
- core: fix buffer overflow in connection to SOCKS5 proxy ([#2325](https://github.com/weechat/weechat/issues/2325))
- core: fix possible buffer overflow in command /color alias ([#2330](https://github.com/weechat/weechat/issues/2330))
- core: fix possible buffer overflow in list of commands displayed by /help ([#2330](https://github.com/weechat/weechat/issues/2330))
- api: fix infinite loop in function string_replace when the search string is empty
- irc: fix tag in message with list of names when joining a channel
- fset: remove error displayed in core buffer when clicking with the mouse below the last option displayed
+13 -11
View File
@@ -2943,7 +2943,7 @@ command_help_list_plugin_commands (struct t_weechat_plugin *plugin,
struct t_gui_buffer *ptr_buffer;
int command_found, length, max_length, list_size;
int cols, lines, col, line, index;
char str_format[64], str_command[256], str_line[2048];
char str_format[64], str_command[256], **str_line;
if (verbose)
{
@@ -3046,27 +3046,29 @@ command_help_list_plugin_commands (struct t_weechat_plugin *plugin,
}
/* display lines with commands, in columns */
for (line = 0; line < lines; line++)
str_line = string_dyn_alloc (256);
if (str_line)
{
str_line[0] = '\0';
for (col = 0; col < cols; col++)
for (line = 0; line < lines; line++)
{
index = (col * lines) + line;
if (index < list_size)
string_dyn_copy (str_line, NULL);
for (col = 0; col < cols; col++)
{
item = weelist_get (list, index);
if (item)
index = (col * lines) + line;
if (index < list_size)
{
if (strlen (str_line) + strlen (weelist_string (item)) + 1 < (int)sizeof (str_line))
item = weelist_get (list, index);
if (item)
{
snprintf (str_command, sizeof (str_command),
str_format, weelist_string (item));
strcat (str_line, str_command);
string_dyn_concat (str_line, str_command, -1);
}
}
}
gui_chat_printf (NULL, "%s", *str_line);
}
gui_chat_printf (NULL, "%s", str_line);
string_dyn_free (str_line, 1);
}
}