Absorbs the still-relevant null-pointer guards from #107 and extends them for consistency across all _omemo_fingerprint_decode() callers:
- _omemo_fingerprint_decode(): return NULL on NULL input instead of dereferencing it via strlen().
- omemo_is_trusted_identity(): bail out (FALSE) when decode fails and zero-init fingerprint_len, instead of passing a NULL buffer / reading an uninitialized length into signal_buffer_append().
- omemo_trust(): bail out when decode fails (previously unchecked; under OOM it would save a bogus 1-byte identity).
Every decode failure is now logged (omemo_is_trusted_identity / omemo_trust / omemo_untrust) instead of failing silently; omemo_trust also surfaces a user-facing error.
The cmd_funcs.c hunks from #107 are dropped: master already has the strtok guard, and its fdopen guard is more complete (it closes the fd).
- proftest: declare the _mkdir_recursive loop index inside the for.
- xmpp/presence: shorten the resource-snapshot comment to one line.
- command/cmd_funcs: report the /vcard remove index error via cons_show_error.
- common: replace g_assert in g_diff_to_gsize with a log_error + return 0
(moved out of the header into common.c); take get_random_string length as
size_t instead of asserting non-negative.
- otr: drop the change-narrating comment on the whitespace memmove.
Refs #112
The functional-test harness compared a signed loop index against strlen()'s
size_t, which the newly promoted -Wsign-compare turns into a -Werror failure
when the test binaries are built. Make the index size_t.
Refs #112
Re-introduce the build hardening that 5459e78e8 attempted, in a form that
coexists with Arch/Pikaur builds (the conflict that forced its revert in
0722dc9e3).
configure.ac:
- Add -D_FORTIFY_SOURCE=2 only when neither $CFLAGS nor $CPPFLAGS already
define _FORTIFY_SOURCE (makepkg injects its own) and not under --coverage.
- Route glib/gio CFLAGS through -isystem so their macros don't trip our -W set.
- Add --enable-sanitizers (ASan + UBSan; unsigned-integer-overflow probed,
skipped on gcc) for a dedicated CI job, off by default.
- Add --enable-hardening to gate -Wnull-dereference (false positives under
-O2 on some toolchains), off by default.
- Promote -Wsign-compare from -Wno- to an active probed warning.
Also fix the sign-conversion sites that -Wsign-compare/-Wconversion cleanup
surfaced as safe (pointer-diff to gsize via new g_diff_to_gsize helper,
non-negative int casts), and validate the /vcard remove index through
strtoi_range so a negative argument can no longer become a huge unsigned
index.
Refs #112
- xmpp: gate XEP-0359 stanza-id dedup on disco urn:xmpp:sid:0. Before
honoring <stanza-id by='…'/> for archive_id dedup, check that the entity
in `by` (or its domain — that's what profanity disco's on connect)
announces the namespace; fall back to no-dedup when caps are unknown,
matching the XEP §6 disco-gate (#1).
- accounts: narrow group-name sanitizer to only the characters GKeyFile
actually forbids in group headers (`[`, `]`, `\n`, `\r`); `=` and `#` are
valid inside a header and stay (#2).
- functional tests cover both branches of the disco gate — replayed
stanza-id is flagged as duplicate when sid:0 is announced, and not
flagged when it isn't.
Refs #112
- otr: strip the OTR whitespace tag by shifting the full remaining tail
(including the trailing NUL) instead of tag_length bytes, which duplicated
the body for messages longer than the tag (#8).
- xmpp: snapshot resource name/status/priority/presence before
connection_add_available_resource() transfers ownership of the Resource, so
the later reads can no longer become a use-after-free (#9).
- omemo: propagate _omemo_finalize_identity_load failure on connect — mark the
context unloaded, log it, surface a cons_show_error, and stop instead of
silently leaving OMEMO unavailable (#10).
Refs #112