From aa77bff164d541b00110a0d1f8de717d8c19e99a Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Sun, 28 Jun 2026 16:15:14 +0000 Subject: [PATCH] core: fix possible buffer overflow in command /color alias (issue #2330) Fix: c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn security vulnerability Automated security fix generated by OrbisAI Security --- CHANGELOG.md | 1 + src/core/core-command.c | 17 ++++++----------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f191a6fe8..20e54e3e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ SPDX-License-Identifier: GPL-3.0-or-later - core: fix option weechat.look.color_real_white not applied when color is "white" on 16+ colors terminals ([#1742](https://github.com/weechat/weechat/issues/1742)) - core: fix buffer overflow in connection to SOCKS5 proxy ([#2325](https://github.com/weechat/weechat/issues/2325)) +- core: fix possible buffer overflow in command /color alias ([#2330](https://github.com/weechat/weechat/issues/2330)) - api: fix infinite loop in function string_replace when the search string is empty - irc: fix tag in message with list of names when joining a channel - fset: remove error displayed in core buffer when clicking with the mouse below the last option displayed diff --git a/src/core/core-command.c b/src/core/core-command.c index c21e59af3..733f31933 100644 --- a/src/core/core-command.c +++ b/src/core/core-command.c @@ -1700,17 +1700,12 @@ COMMAND_CALLBACK(color) else str_alias = argv[i]; } - str_color[0] = '\0'; - if (str_alias) - { - strcat (str_color, ";"); - strcat (str_color, str_alias); - } - if (str_rgb) - { - strcat (str_color, ";"); - strcat (str_color, str_rgb); - } + snprintf (str_color, sizeof (str_color), + "%s%s%s%s", + (str_alias) ? ";" : "", + (str_alias) ? str_alias : "", + (str_rgb) ? ";" : "", + (str_rgb) ? str_rgb : ""); /* add color alias */ snprintf (str_command, sizeof (str_command),