Skip to content

fix(strbuf): resolve potential use-after-free and UB in ffStrbufSetNS#2265

Merged
CarterLi merged 1 commit intofastfetch-cli:devfrom
fam007e:fix/strbuf-uaf
Apr 9, 2026
Merged

fix(strbuf): resolve potential use-after-free and UB in ffStrbufSetNS#2265
CarterLi merged 1 commit intofastfetch-cli:devfrom
fam007e:fix/strbuf-uaf

Conversation

@fam007e
Copy link
Copy Markdown
Contributor

@fam007e fam007e commented Apr 8, 2026

Summary

This PR fixes a "Potential use after free" security alert flagged by CodeQL and addresses Undefined Behavior (UB) when setting a buffer to a substring of itself.

Related issue (required for new logos for new distros)

Fixes a CodeQL security alert (no public issue was found).

Changes

  • Use-After-Free Fix: Modified ffStrbufSetNS to allocate and copy into a new buffer before freeing the old one. This ensures that if the source value points into the current buffer, it remains valid during the copy even if reallocation is required.
  • Overlap Safety: Replaced memcpy with memmove in the non-reallocating path to safely handle cases where value points to an overlapping memory region within the same buffer.

Checklist

  • I have tested my changes locally. (Verified with fastfetch-test-strbuf)

@CarterLi CarterLi merged commit 2b82e9a into fastfetch-cli:dev Apr 9, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fam007e @CarterLi