core: fix buffer overflow in function utf8_next_char and return NULL for empty string

Now the function utf8_next_char with an empty string returns NULL instead of the next char, which is most of the time after an allocated buffer. And the function utf8_char_size with an empty string now returns 0 instead of 1. This indirectly fixes a buffer overflow in function eval_string_range_chars when the input string is empty (for example when doing `/eval -n ${chars:}`).
2026-06-28 13:56:37 +02:00 · 2025-05-10 20:40:09 +02:00
parent 6ecd9e66bf
commit d475c16671
12 changed files with 126 additions and 48 deletions
@@ -254,6 +254,8 @@ string_reverse (const char *string)
    while (ptr_string && ptr_string[0])
    {
        char_size = utf8_char_size (ptr_string);
+        if (char_size < 1)
+            break;

        ptr_result -= char_size;
        memcpy (ptr_result, ptr_string, char_size);
@@ -313,6 +315,8 @@ string_reverse_screen (const char *string)
        if (ptr_string[0])
        {
            char_size = utf8_char_size (ptr_string);
+            if (char_size < 1)
+                break;

            ptr_result -= char_size;
            memcpy (ptr_result, ptr_string, char_size);
@@ -934,7 +938,7 @@ string_strcasestr (const char *string, const char *search)
    if (!string || !search || (length_search == 0))
        return NULL;

-    while (string[0])
+    while (string && string[0])
    {
        if (string_strncasecmp (string, search, length_search) == 0)
            return (char *)string;
@@ -4139,6 +4143,8 @@ string_input_for_buffer (const char *string)
        return string;

    next_char = utf8_next_char (string);
+    if (!next_char)
+        return NULL;

    /* next char is a space, then it's not a command */
    if (next_char[0] == ' ')
@@ -4226,8 +4232,12 @@ string_levenshtein (const char *string1, const char *string2,
                last_diag + ((char1 == char2) ? 0 : 1));
            last_diag = old_diag;
            ptr_str1 = utf8_next_char (ptr_str1);
+            if (!ptr_str1)
+                break;
        }
        ptr_str2 = utf8_next_char (ptr_str2);
+        if (!ptr_str2)
+            break;
    }

    return column[length1];