Merge pull request #3544 from airween/v3/acmppmfix

airween · web-flow · commit 46bfa5276b0e · 2026-04-20T09:30:57.000+02:00
fix: heap buffer overflow in acmp pm
diff --git a/src/utils/acmp.cc b/src/utils/acmp.cc
@@ -387,17 +387,20 @@ if (parser->is_active != 0) return -1;
             child->pattern = (char *)"";
             child->letter = letter;
             child->depth = i;
-            child->text = (char *)calloc(1, strlen(pattern) + 2);
+            child->text = (char *)calloc(1, i + 2);
             /* ENH: Check alloc succeded */
-            for (j = 0; j <= i; j++) child->text[j] = pattern[j];
+            for (j = 0; j <= i; j++) {
+                child->text[j] = pattern[j];
+            }
         }
         if (i == length - 1) {
             if (child->is_last == 0) {
                 parser->dict_count++;
                 child->is_last = 1;
-                child->pattern = (char *)calloc(1, strlen(pattern) + 2);
+                child->pattern = (char *)calloc(1, length + 1);
                 /* ENH: Check alloc succeded */
-                strcpy(child->pattern, pattern);
+                memcpy(child->pattern, pattern, length);
+                child->pattern[length] = '\0';
             }
             child->callback = callback;
             child->callback_data = data;
