The format_send_to_gui() function does not validate the length of the string before incrementing the `ptr' pointer in all cases. If that happens, the pointer `ptr' can be incremented twice and thus end past the boundaries of the original `dup' buffer. Remote code execution might be difficult since only Nuls are written.
The format_send_to_gui() function does not validate the length of the string before incrementing the `ptr' pointer in all cases. If that happens, the pointer `ptr' can be incremented twice and thus end past the boundaries of the original `dup' buffer. Remote code execution might be difficult since only Nuls are written.
https://irssi.org/security/irssi_sa_2016.txt