pegasus/weechat
1
0
Fork 0
mirror of https://github.com/weechat/weechat.git synced 2026-06-12 14:14:48 +02:00
Code Activity

irc: fix out-of-bounds read in DCC command with quoted filename

Browse Source
This commit is contained in:
aizu-m
2026-06-04 12:14:33 +05:30
committed by Sébastien Helleu
parent a69f356182
commit 30529057c8
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+1
View File
@@ -12,6 +12,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
- api: fix infinite loop in function string_replace when the search string is empty
- irc: limit size of data received from the server to prevent memory exhaustion
- irc: fix out-of-bounds read on incoming DCC command with a quoted filename ending the message
- relay: limit size of received websocket frame and HTTP body to prevent memory exhaustion
- xfer: replace directory separator in remote nick by underscore in download filename to prevent writing the file outside the download directory
src/plugins/irc/irc-ctcp.c
+3 -3
View File
@@ -857,7 +857,7 @@ irc_ctcp_recv_dcc (struct t_irc_protocol_ctxt *ctxt, const char *arguments)
* double-quote
*/
pos = strrchr (pos_file, '"');
if (!pos || (pos == pos_file))
if (!pos || (pos == pos_file) || !pos[1])
{
weechat_printf (
ctxt->server->buffer,
@@ -1032,7 +1032,7 @@ irc_ctcp_recv_dcc (struct t_irc_protocol_ctxt *ctxt, const char *arguments)
* double-quote
*/
pos = strrchr (pos_file, '"');
if (!pos || (pos == pos_file))
if (!pos || (pos == pos_file) || !pos[1])
{
weechat_printf (
ctxt->server->buffer,
@@ -1176,7 +1176,7 @@ irc_ctcp_recv_dcc (struct t_irc_protocol_ctxt *ctxt, const char *arguments)
* double-quote
*/
pos = strrchr (pos_file, '"');
if (!pos || (pos == pos_file))
if (!pos || (pos == pos_file) || !pos[1])
{
weechat_printf (
ctxt->server->buffer,