From 3db2f71112ea85fa88b57f2c91be66a91ad7c078 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= <flashcode@flashtux.org>
Date: Sat, 10 May 2025 21:38:26 +0200
Subject: [PATCH] core: fix buffer overflow in function eval_string_range_chars

---
 CHANGELOG.md         | 1 +
 src/core/core-eval.c | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 902deec30..99c15c116 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@
 - core: fix buffer overflow in function util_parse_time
 - core: fix buffer overflow in function eval_syntax_highlight_colorize
 - core: fix buffer overflow in function eval_string_base_encode
+- core: fix buffer overflow in function eval_string_range_chars
 - core: fix memory leak in function util_parse_delay
 
 ## Version 4.6.2 (2025-04-18)
diff --git a/src/core/core-eval.c b/src/core/core-eval.c
index 329553115..8914b86b8 100644
--- a/src/core/core-eval.c
+++ b/src/core/core-eval.c
@@ -300,6 +300,9 @@ eval_string_range_chars (const char *range)
     string = NULL;
     result = NULL;
 
+    if (!range || !range[0])
+        goto end;
+
     for (i = 0; eval_range_chars[i][0]; i++)
     {
         if (strcmp (range, eval_range_chars[i][0]) == 0)
@@ -309,11 +312,15 @@ eval_string_range_chars (const char *range)
     char1 = utf8_char_int (range);
 
     /* next char must be '-' */
+    if (!range[0])
+        goto end;
     ptr_char = utf8_next_char (range);
     if (!ptr_char || !ptr_char[0] || (ptr_char[0] != '-'))
         goto end;
 
     /* next char is the char2 */
+    if (!range[0])
+        goto end;
     ptr_char = utf8_next_char (ptr_char);
     if (!ptr_char || !ptr_char[0])
         goto end;