Version 4.6.3

.github/workflows/ci.yml

@@ -92,7 +92,7 @@ env:
     ruby
     rubygem-asciidoctor
     sudo
-    tcl87
+    tcl86
     zstd
 
 jobs:

CHANGELOG.md

@@ -1,5 +1,18 @@
 # WeeChat ChangeLog
 
+## Version 4.6.3 (2025-05-11)
+
+### Fixed
+
+- core: fix integer overflow with decimal numbers in calculation of expression
+- core: fix integer overflow in base32 encoding/decoding
+- core: fix integer overflow in function util_version_number
+- core: fix buffer overflow in function util_parse_time
+- core: fix buffer overflow in function eval_syntax_highlight_colorize
+- core: fix buffer overflow in function eval_string_base_encode
+- core: fix buffer overflow in function eval_string_range_chars
+- core: fix memory leak in function util_parse_delay
+
 ## Version 4.6.2 (2025-04-18)
 
 ### Fixed

UPGRADING.md

@@ -7,6 +7,14 @@ When upgrading from version X to Y, please read and apply all instructions from
 
 For a list of all changes in each version, please see [CHANGELOG.md](CHANGELOG.md).
 
+## Version 4.6.3
+
+### API function util_version_number
+
+An integer overflow has been fixed in the function
+[util_version_number](https://weechat.org/doc/weechat/plugin/#_util_version_number)
+which now returns a version up to "127.255.255.255" (0x7FFFFFFF).
+
 ## Version 4.6.0
 
 ### Relay remote commands

src/core/core-calc.c

@@ -336,9 +336,9 @@ calc_expression (const char *expr)
     struct t_arraylist *list_values, *list_ops;
     const char *ptr_expr, *ptr_expr2;
     char str_result[64], *ptr_operator, *operator;
-    int index_op, decimals;
+    int index_op;
     enum t_calc_symbol last_symbol;
-    double value, factor, *ptr_value;
+    double value, factor, decimals, *ptr_value;
 
     list_values = NULL;
     list_ops = NULL;

src/core/core-eval.c

@@ -300,6 +300,9 @@ eval_string_range_chars (const char *range)
     string = NULL;
     result = NULL;
 
+    if (!range || !range[0])
+        goto end;
+
     for (i = 0; eval_range_chars[i][0]; i++)
     {
         if (strcmp (range, eval_range_chars[i][0]) == 0)
@@ -309,11 +312,15 @@ eval_string_range_chars (const char *range)
     char1 = utf8_char_int (range);
 
     /* next char must be '-' */
+    if (!range[0])
+        goto end;
     ptr_char = utf8_next_char (range);
     if (!ptr_char || !ptr_char[0] || (ptr_char[0] != '-'))
         goto end;
 
     /* next char is the char2 */
+    if (!range[0])
+        goto end;
     ptr_char = utf8_next_char (ptr_char);
     if (!ptr_char || !ptr_char[0])
         goto end;
@@ -894,7 +901,7 @@ eval_string_base_encode (const char *text)
 
     ptr_string++;
     length = strlen (ptr_string);
-    result = malloc ((length * 4) + 1);
+    result = malloc ((length * 4) + 8 + 1);
     if (!result)
         goto end;
 
@@ -1572,7 +1579,8 @@ eval_syntax_highlight_colorize (const char *value)
             else if (ptr_value[0] == '-')
                 color--;
         }
-        ptr_value++;
+        if (ptr_value[0])
+            ptr_value++;
         if (config_num_eval_syntax_colors > 0)
         {
             string_dyn_concat (

src/core/core-string.c

@@ -3570,7 +3570,8 @@ int
 string_base32_encode (const char *from, int length, char *to)
 {
     unsigned char base32_table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-    int count, value, next, bits_left, pad, index;
+    unsigned int value;
+    int count, next, bits_left, pad, index;
     int length_padding[8] = { 0, 0, 6, 0, 4, 3, 0, 2 };
 
     if (!from || !to)
@@ -3648,7 +3649,8 @@ int
 string_base32_decode (const char *from, char *to)
 {
     const char *ptr_from;
-    int value, bits_left, count;
+    int bits_left, count;
+    unsigned int value;
     unsigned char c;
 
     if (!from || !to)

src/core/core-util.c

@@ -285,7 +285,8 @@ util_strftimeval (char *string, int max, const char *format, struct timeval *tv)
 int
 util_parse_time (const char *datetime, struct timeval *tv)
 {
-    char *string, *pos, *pos2, str_usec[16], *error, str_date[128];
+    char *string, *pos, *pos2, str_usec[16], *error;
+    char str_date[128], str_date2[256];
     struct tm tm_date, tm_date_gm, tm_date_local, *local_time;
     time_t time_now, time_gm, time_local;
     long long value;
@@ -445,10 +446,10 @@ util_parse_time (const char *datetime, struct timeval *tv)
         local_time = localtime (&time_now);
         strftime (str_date, sizeof (str_date),
                   "%Y-%m-%dT", local_time);
-        strcat (str_date, string);
+        snprintf (str_date2, sizeof (str_date2), "%s%s", str_date, string);
         /* initialize structure, because strptime does not do it */
         memset (&tm_date, 0, sizeof (struct tm));
-        pos = strptime (str_date, "%Y-%m-%dT%H:%M:%S", &tm_date);
+        pos = strptime (str_date2, "%Y-%m-%dT%H:%M:%S", &tm_date);
         if (pos)
         {
             if (use_local_time)
@@ -571,7 +572,6 @@ util_parse_delay (const char *string_delay, unsigned long long default_factor,
 
     if ((pos > string_delay) && pos[0])
     {
-        str_number = string_strndup (string_delay, pos - string_delay);
         if (strcmp (pos, "us") == 0)
             factor = 1ULL;
         else if (strcmp (pos, "ms") == 0)
@@ -584,6 +584,7 @@ util_parse_delay (const char *string_delay, unsigned long long default_factor,
             factor = 1000ULL * 1000ULL * 60ULL * 60ULL;
         else
             return 0;
+        str_number = string_strndup (string_delay, pos - string_delay);
     }
     else
     {
@@ -670,7 +671,9 @@ util_version_number (const char *version)
                 {
                     if (number < 0)
                         number = 0;
-                    else if (number > 0xFF)
+                    else if ((i == 0) && (number > 0x7F))
+                        number = 0x7F;
+                    else if ((i > 0) && (number > 0xFF))
                         number = 0xFF;
                     version_int[i] = number;
                 }

tests/unit/core/test-core-util.cpp

@@ -537,4 +537,9 @@ TEST(CoreUtil, VersionNumber)
     LONGS_EQUAL(0x01010100, util_version_number ("1.1.1"));
     LONGS_EQUAL(0x01010200, util_version_number ("1.1.2"));
     LONGS_EQUAL(0x01020304, util_version_number ("1.2.3.4"));
+    LONGS_EQUAL(0x7EFFFFFF, util_version_number ("126.255.255.255"));
+    LONGS_EQUAL(0x7FFFFFFF, util_version_number ("127.255.255.255"));
+    LONGS_EQUAL(0x7FFFFFFF, util_version_number ("128.255.255.255"));
+    LONGS_EQUAL(0x7FFFFFFF, util_version_number ("255.255.255.255"));
+    LONGS_EQUAL(0x7FFFFFFF, util_version_number ("999999999.999999999.999999999.999999999"));;
 }

version.sh

@@ -39,8 +39,8 @@
 #     devel-number   the devel version as hex number ("0x04010000" for "4.1.0-dev")
 #
 
-weechat_stable="4.6.2"
-weechat_devel="4.6.2"
+weechat_stable="4.6.3"
+weechat_devel="4.6.3"
 
 stable_major=$(echo "${weechat_stable}" | cut -d"." -f1)
 stable_minor=$(echo "${weechat_stable}" | cut -d"." -f2)