From de3a771d5359441a0065d47f128b194d496cc91a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Sun, 5 Jul 2026 10:22:59 +0200 Subject: [PATCH] core: fix possible buffer overflow in list of commands displayed by /help (issue #2330) Fix: c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn security vulnerability Found by OrbisAI Security --- CHANGELOG.md | 1 + src/core/core-command.c | 24 +++++++++++++----------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ce722d35d..546b1c3a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ SPDX-License-Identifier: GPL-3.0-or-later - core: fix buffer overflow in connection to SOCKS5 proxy ([#2325](https://github.com/weechat/weechat/issues/2325)) - core: fix possible buffer overflow in command /color alias ([#2330](https://github.com/weechat/weechat/issues/2330)) +- core: fix possible buffer overflow in list of commands displayed by /help ([#2330](https://github.com/weechat/weechat/issues/2330)) - relay/api: fix memory leak in resources "handshake", "input" and "completion" ([GHSA-wmpc-m6g9-fwj8](https://github.com/weechat/weechat/security/advisories/GHSA-wmpc-m6g9-fwj8)) - relay: fix read of uncompressed websocket frame ([#2331](https://github.com/weechat/weechat/issues/2331)) - xfer: fix out-of-bounds write in xfer file transfer resume ([#2326](https://github.com/weechat/weechat/issues/2326)) diff --git a/src/core/core-command.c b/src/core/core-command.c index bc8c07093..55687b7aa 100644 --- a/src/core/core-command.c +++ b/src/core/core-command.c @@ -2975,7 +2975,7 @@ command_help_list_plugin_commands (struct t_weechat_plugin *plugin, struct t_gui_buffer *ptr_buffer; int command_found, length, max_length, list_size; int cols, lines, col, line, index; - char str_format[64], str_command[256], str_line[2048]; + char str_format[64], str_command[256], **str_line; if (verbose) { @@ -3078,27 +3078,29 @@ command_help_list_plugin_commands (struct t_weechat_plugin *plugin, } /* display lines with commands, in columns */ - for (line = 0; line < lines; line++) + str_line = string_dyn_alloc (256); + if (str_line) { - str_line[0] = '\0'; - for (col = 0; col < cols; col++) + for (line = 0; line < lines; line++) { - index = (col * lines) + line; - if (index < list_size) + string_dyn_copy (str_line, NULL); + for (col = 0; col < cols; col++) { - item = weelist_get (list, index); - if (item) + index = (col * lines) + line; + if (index < list_size) { - if (strlen (str_line) + strlen (weelist_string (item)) + 1 < (int)sizeof (str_line)) + item = weelist_get (list, index); + if (item) { snprintf (str_command, sizeof (str_command), str_format, weelist_string (item)); - strcat (str_line, str_command); + string_dyn_concat (str_line, str_command, -1); } } } + gui_chat_printf (NULL, "%s", *str_line); } - gui_chat_printf (NULL, "%s", str_line); + string_dyn_free (str_line, 1); } }