From 5729ae082a7342285f372a83e86048e76a2bb8dc Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Sun, 12 Apr 2026 19:09:38 +0200
Subject: [PATCH 1/2] fix: heap buffer overflow in acmp pm

---
 src/utils/acmp.cc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/utils/acmp.cc b/src/utils/acmp.cc
index c1614b3fe5..b3ba500482 100644
--- a/src/utils/acmp.cc
+++ b/src/utils/acmp.cc
@@ -387,7 +387,7 @@ if (parser->is_active != 0) return -1;
             child->pattern = (char *)"";
             child->letter = letter;
             child->depth = i;
-            child->text = (char *)calloc(1, strlen(pattern) + 2);
+            child->text = (char *)calloc(1, length + 2);
             /* ENH: Check alloc succeded */
             for (j = 0; j <= i; j++) child->text[j] = pattern[j];
         }
@@ -395,9 +395,10 @@ if (parser->is_active != 0) return -1;
             if (child->is_last == 0) {
                 parser->dict_count++;
                 child->is_last = 1;
-                child->pattern = (char *)calloc(1, strlen(pattern) + 2);
+                child->pattern = (char *)calloc(1, length + 2);
                 /* ENH: Check alloc succeded */
-                strcpy(child->pattern, pattern);
+                memcpy(child->pattern, pattern, length);
+                child->pattern[length] = '\0';
             }
             child->callback = callback;
             child->callback_data = data;

From 66c338e1fce5a6294bdd790aa1b7312a9f4bd19c Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Sun, 12 Apr 2026 22:31:13 +0200
Subject: [PATCH 2/2] Remove unnecessary memory allocation

---
 src/utils/acmp.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/utils/acmp.cc b/src/utils/acmp.cc
index b3ba500482..b1e96449f5 100644
--- a/src/utils/acmp.cc
+++ b/src/utils/acmp.cc
@@ -387,7 +387,7 @@ if (parser->is_active != 0) return -1;
             child->pattern = (char *)"";
             child->letter = letter;
             child->depth = i;
-            child->text = (char *)calloc(1, length + 2);
+            child->text = (char *)calloc(1, i + 2);
             /* ENH: Check alloc succeded */
             for (j = 0; j <= i; j++) child->text[j] = pattern[j];
         }
@@ -395,7 +395,7 @@ if (parser->is_active != 0) return -1;
             if (child->is_last == 0) {
                 parser->dict_count++;
                 child->is_last = 1;
-                child->pattern = (char *)calloc(1, length + 2);
+                child->pattern = (char *)calloc(1, length + 1);
                 /* ENH: Check alloc succeded */
                 memcpy(child->pattern, pattern, length);
                 child->pattern[length] = '\0';