From fa29dd8e6323c9cf1720346be6f5d8e43e586091 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Sun, 5 Jul 2026 11:59:18 +0200 Subject: [PATCH] api: do not free dynamic string on error in function string_dyn_concat --- CHANGELOG.md | 1 + doc/en/weechat_plugin_api.en.adoc | 2 ++ doc/fr/weechat_plugin_api.fr.adoc | 2 ++ doc/it/weechat_plugin_api.it.adoc | 3 +++ doc/ja/weechat_plugin_api.ja.adoc | 3 +++ doc/sr/weechat_plugin_api.sr.adoc | 3 +++ src/core/core-string.c | 6 ++---- 7 files changed, 16 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 546b1c3a7..095595bf3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ SPDX-License-Identifier: GPL-3.0-or-later - core: fix buffer overflow in connection to SOCKS5 proxy ([#2325](https://github.com/weechat/weechat/issues/2325)) - core: fix possible buffer overflow in command /color alias ([#2330](https://github.com/weechat/weechat/issues/2330)) - core: fix possible buffer overflow in list of commands displayed by /help ([#2330](https://github.com/weechat/weechat/issues/2330)) +- api: do not free dynamic string on error in function string_dyn_concat - relay/api: fix memory leak in resources "handshake", "input" and "completion" ([GHSA-wmpc-m6g9-fwj8](https://github.com/weechat/weechat/security/advisories/GHSA-wmpc-m6g9-fwj8)) - relay: fix read of uncompressed websocket frame ([#2331](https://github.com/weechat/weechat/issues/2331)) - xfer: fix out-of-bounds write in xfer file transfer resume ([#2326](https://github.com/weechat/weechat/issues/2326)) diff --git a/doc/en/weechat_plugin_api.en.adoc b/doc/en/weechat_plugin_api.en.adoc index ecdec4cfd..562dfe247 100644 --- a/doc/en/weechat_plugin_api.en.adoc +++ b/doc/en/weechat_plugin_api.en.adoc @@ -3474,6 +3474,8 @@ Concatenate a string to a dynamic string. The pointer _*string_ can change if the string is reallocated (if there is not enough space to concatenate the string). +In case of error, the dynamic string is left unchanged. + Prototype: [source,c] diff --git a/doc/fr/weechat_plugin_api.fr.adoc b/doc/fr/weechat_plugin_api.fr.adoc index 49f43569a..02cec3a2b 100644 --- a/doc/fr/weechat_plugin_api.fr.adoc +++ b/doc/fr/weechat_plugin_api.fr.adoc @@ -3532,6 +3532,8 @@ Concaténer une chaîne dans une chaîne dynamique. Le pointeur _*string_ peut changer si la chaîne est réallouée (s'il n'y a pas assez de place pour concaténer la chaîne). +En cas d'erreur, la chaîne dynamique reste inchangée. + Prototype : [source,c] diff --git a/doc/it/weechat_plugin_api.it.adoc b/doc/it/weechat_plugin_api.it.adoc index a490dd8a6..a69b8ede2 100644 --- a/doc/it/weechat_plugin_api.it.adoc +++ b/doc/it/weechat_plugin_api.it.adoc @@ -3635,6 +3635,9 @@ Concatenate a string to a dynamic string. The pointer _*string_ can change if the string is reallocated (if there is not enough space to concatenate the string). +// TRANSLATION MISSING +In case of error, the dynamic string is left unchanged. + Prototipo: [source,c] diff --git a/doc/ja/weechat_plugin_api.ja.adoc b/doc/ja/weechat_plugin_api.ja.adoc index aa9eb0ca0..9a054fdfd 100644 --- a/doc/ja/weechat_plugin_api.ja.adoc +++ b/doc/ja/weechat_plugin_api.ja.adoc @@ -3586,6 +3586,9 @@ _WeeChat バージョン 1.8 以上で利用可, updated in 3.0_ 文字列が再確保された場合 (文字列を連結するのに十分なサイズが確保されていなかった場合) にはポインタ _*string_ が変わる可能性があります。 +// TRANSLATION MISSING +In case of error, the dynamic string is left unchanged. + プロトタイプ: [source,c] diff --git a/doc/sr/weechat_plugin_api.sr.adoc b/doc/sr/weechat_plugin_api.sr.adoc index 51fb0670e..2fa202457 100644 --- a/doc/sr/weechat_plugin_api.sr.adoc +++ b/doc/sr/weechat_plugin_api.sr.adoc @@ -3356,6 +3356,9 @@ _WeeChat ≥ 1.8, ажурирано у верзији 3.0._ Показивач на стринг _*string_ може да се промени ако се стринг реалоцира (у случају да нема довољно простора за надовезивање стринга). +// TRANSLATION MISSING +In case of error, the dynamic string is left unchanged. + Прототип: [source,c] diff --git a/src/core/core-string.c b/src/core/core-string.c index 27644d7be..3731e2823 100644 --- a/src/core/core-string.c +++ b/src/core/core-string.c @@ -4768,6 +4768,8 @@ string_dyn_copy (char **string, const char *new_string) * if the string had to be extended, or the same pointer if there was enough * size to concatenate the new string. * + * In case of error, the dynamic string is left unchanged. + * * Return: * 1: OK * 0: error @@ -4803,11 +4805,7 @@ string_dyn_concat (char **string, const char *add, int bytes) new_size_alloc = new_size; string_realloc = realloc (ptr_string_dyn->string, new_size_alloc); if (!string_realloc) - { - free (ptr_string_dyn->string); - free (ptr_string_dyn); return 0; - } ptr_string_dyn->string = string_realloc; ptr_string_dyn->size_alloc = new_size_alloc; }