From 30529057c89e82172d431da68e1330628c11ea72 Mon Sep 17 00:00:00 2001 From: aizu-m Date: Thu, 4 Jun 2026 12:14:33 +0530 Subject: [PATCH] irc: fix out-of-bounds read in DCC command with quoted filename --- CHANGELOG.md | 1 + src/plugins/irc/irc-ctcp.c | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d169caec9..239c88da8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ SPDX-License-Identifier: GPL-3.0-or-later - api: fix infinite loop in function string_replace when the search string is empty - irc: limit size of data received from the server to prevent memory exhaustion +- irc: fix out-of-bounds read on incoming DCC command with a quoted filename ending the message - relay: limit size of received websocket frame and HTTP body to prevent memory exhaustion - xfer: replace directory separator in remote nick by underscore in download filename to prevent writing the file outside the download directory diff --git a/src/plugins/irc/irc-ctcp.c b/src/plugins/irc/irc-ctcp.c index e7b0f8e73..5273f6df0 100644 --- a/src/plugins/irc/irc-ctcp.c +++ b/src/plugins/irc/irc-ctcp.c @@ -857,7 +857,7 @@ irc_ctcp_recv_dcc (struct t_irc_protocol_ctxt *ctxt, const char *arguments) * double-quote */ pos = strrchr (pos_file, '"'); - if (!pos || (pos == pos_file)) + if (!pos || (pos == pos_file) || !pos[1]) { weechat_printf ( ctxt->server->buffer, @@ -1032,7 +1032,7 @@ irc_ctcp_recv_dcc (struct t_irc_protocol_ctxt *ctxt, const char *arguments) * double-quote */ pos = strrchr (pos_file, '"'); - if (!pos || (pos == pos_file)) + if (!pos || (pos == pos_file) || !pos[1]) { weechat_printf ( ctxt->server->buffer, @@ -1176,7 +1176,7 @@ irc_ctcp_recv_dcc (struct t_irc_protocol_ctxt *ctxt, const char *arguments) * double-quote */ pos = strrchr (pos_file, '"'); - if (!pos || (pos == pos_file)) + if (!pos || (pos == pos_file) || !pos[1]) { weechat_printf ( ctxt->server->buffer,