From f91f92b48fc04470909671d5e626a23e63617169 Mon Sep 17 00:00:00 2001
From: aizu-m <aizumusheer2@gmail.com>
Date: Sat, 6 Jun 2026 10:31:18 +0530
Subject: [PATCH] xfer: fix out-of-bounds read in xfer_chat_recv_cb on empty
 line (#2323)

---
 CHANGELOG.md                 | 1 +
 src/plugins/xfer/xfer-chat.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 239c88da8..3c64e2491 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 - irc: fix out-of-bounds read on incoming DCC command with a quoted filename ending the message
 - relay: limit size of received websocket frame and HTTP body to prevent memory exhaustion
 - xfer: replace directory separator in remote nick by underscore in download filename to prevent writing the file outside the download directory
+- xfer: fix out-of-bounds read when receiving empty line in DCC chat ([#2323](https://github.com/weechat/weechat/issues/2323))
 
 ## Version 4.9.1 (2026-05-31)
 
diff --git a/src/plugins/xfer/xfer-chat.c b/src/plugins/xfer/xfer-chat.c
index 7473af826..d33e8db2a 100644
--- a/src/plugins/xfer/xfer-chat.c
+++ b/src/plugins/xfer/xfer-chat.c
@@ -162,7 +162,7 @@ xfer_chat_recv_cb (const void *pointer, void *data, int fd)
             {
                 ctcp_action = 0;
                 length = strlen (ptr_buf);
-                if (ptr_buf[length - 1] == '\r')
+                if ((length > 0) && (ptr_buf[length - 1] == '\r'))
                 {
                     ptr_buf[length - 1] = '\0';
                     length--;