From 6330ec76e055bc2bc9f573e7ad0eff4cda85b5e1 Mon Sep 17 00:00:00 2001
From: aizu-m <aizumusheer2@gmail.com>
Date: Thu, 18 Jun 2026 00:59:45 +0530
Subject: [PATCH] xfer: fix out-of-bounds write in xfer_dcc_resume_hash (#2326)

---
 CHANGELOG.md                | 1 +
 src/plugins/xfer/xfer-dcc.c | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c6ee016a0..bdf19151d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@
 - relay: fix out-of-bounds read in dump of data ([#2324](https://github.com/weechat/weechat/issues/2324))
 - xfer: replace directory separator in remote nick by underscore in download filename to prevent writing the file outside the download directory ([#2321](https://github.com/weechat/weechat/issues/2321))
 - xfer: fix out-of-bounds read when receiving empty line in DCC chat ([#2323](https://github.com/weechat/weechat/issues/2323))
+- xfer: fix out-of-bounds write in xfer file transfer resume ([#2326](https://github.com/weechat/weechat/issues/2326))
 - build: fix build on Solaris/illumos (issue #2251)
 
 ## Version 4.6.3 (2025-05-11)
diff --git a/src/plugins/xfer/xfer-dcc.c b/src/plugins/xfer/xfer-dcc.c
index 2503d094a..4c99fb711 100644
--- a/src/plugins/xfer/xfer-dcc.c
+++ b/src/plugins/xfer/xfer-dcc.c
@@ -240,8 +240,8 @@ int
 xfer_dcc_resume_hash (struct t_xfer *xfer)
 {
     char *buf;
-    unsigned long long total_read;
-    ssize_t length_buf, to_read, num_read;
+    unsigned long long total_read, length_buf, to_read;
+    ssize_t num_read;
     int ret, fd;
 
     total_read = 0;