From cf2d0733d35f4948737a7bd97c3b756e0a8c769e Mon Sep 17 00:00:00 2001 From: aizu-m Date: Thu, 4 Jun 2026 12:14:33 +0530 Subject: [PATCH] irc: fix out-of-bounds read in DCC command with quoted filename (#2322) --- CHANGELOG.md | 1 + src/plugins/irc/irc-ctcp.c | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ce026db22..0894592f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ - api: fix infinite loop in function string_replace when the search string is empty - irc: limit size of data received from the server to prevent memory exhaustion +- irc: fix out-of-bounds read on incoming DCC command with a quoted filename ending the message ([#2322](https://github.com/weechat/weechat/issues/2322)) - relay: limit size of received websocket frame and HTTP body to prevent memory exhaustion - relay: fix timing attack on password authentication ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc)) - api, relay: fix timing attack on TOTP validation ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc)) diff --git a/src/plugins/irc/irc-ctcp.c b/src/plugins/irc/irc-ctcp.c index 7f363304f..fd03fdb61 100644 --- a/src/plugins/irc/irc-ctcp.c +++ b/src/plugins/irc/irc-ctcp.c @@ -855,7 +855,7 @@ irc_ctcp_recv_dcc (struct t_irc_protocol_ctxt *ctxt, const char *arguments) * double-quote */ pos = strrchr (pos_file, '"'); - if (!pos || (pos == pos_file)) + if (!pos || (pos == pos_file) || !pos[1]) { weechat_printf ( ctxt->server->buffer, @@ -1030,7 +1030,7 @@ irc_ctcp_recv_dcc (struct t_irc_protocol_ctxt *ctxt, const char *arguments) * double-quote */ pos = strrchr (pos_file, '"'); - if (!pos || (pos == pos_file)) + if (!pos || (pos == pos_file) || !pos[1]) { weechat_printf ( ctxt->server->buffer, @@ -1174,7 +1174,7 @@ irc_ctcp_recv_dcc (struct t_irc_protocol_ctxt *ctxt, const char *arguments) * double-quote */ pos = strrchr (pos_file, '"'); - if (!pos || (pos == pos_file)) + if (!pos || (pos == pos_file) || !pos[1]) { weechat_printf ( ctxt->server->buffer,