Commit Graph

7711 Commits

Author SHA1 Message Date
Michael Vetter
d8c16640c5 Merge pull request #2097 from profanity-im/fix/731-pseudo-join
fix: Ignore self-presence for untracked MUC rooms
2026-02-28 11:32:24 +01:00
Michael Vetter
e18b71576e Merge pull request #2096 from profanity-im/fix/1997-floatingpoint
fix: Fix Floating Point Exception in OMEMO session building
2026-02-28 11:07:35 +01:00
Michael Vetter
9fb45b543b fix: Ignore self-presence for untracked MUC rooms
Only handle self-presence for rooms we are actively managing.

Earlier we blindly react to any self-presence
stanza by calling 'ui_room_join'.

The join could have been initiated by another client or an external
Gateway. In the case of #731 this was Slack.
I remember that more people reported this kind of bug in our MUC.

We then would open a window and the nick would be (null) because we
don't have any nickname for that room set.

So only react on self-presence if we manage the MUC.
Other XMPP clients do the same.

Fix https://github.com/profanity-im/profanity/issues/731
2026-02-28 10:42:03 +01:00
Michael Vetter
45c551b8ac Merge pull request #2095 from profanity-im/morefixes
Add more compiler flags
2026-02-28 10:34:33 +01:00
Michael Vetter
bc13a726b6 fix: Fix Floating Point Exception in OMEMO session building
When an OMEMO bundle is received with an empty <prekeys/> element,
`prekeys_list` remains empty. In omemo_start_device_session(),
performing a modulo operation on the length of an empty list
(0) triggered a SIGFPE (Floating point exception).

torsocks likely affected the network environment where such empty
or incomplete bundles could be intercepted.

Fix https://github.com/profanity-im/profanity/issues/1997
2026-02-28 10:28:26 +01:00
Michael Vetter
09c9307493 ci: build with ASan and UBSan
Should help us find the following bugs early.

ASan:
* Out-of-bounds accesses
* Use-after-free
* Memory leaks
* Double free / Invalid free

UBSan:
* Undefined Behavior
* Signed integer overflow
* Null pointer dereference
* Pointer misalignment
* Division by zero
* Bit-shifting out of bounds

This needs works during runtime. But let's add it here so that at least
basic --version run is test and as a reminder for developer to add it.
I will also adjust documentation later on.
2026-02-28 10:10:04 +01:00
Michael Vetter
ab4adf19d0 refactor: Refactor form_set_value to use glib list management
Simplify how field values are updated and ensure memory is correctly
managed.

The previous implementation relied on manual manipulation of the
GSList internal `data` member and only handled cases where a field
had zero or one existing value.

The function now correctly handles fields that may
already contain multiple values by using 'g_slist_free_full' to
clear the entire list and its contents before setting the new
value.
2026-02-28 10:02:26 +01:00
Michael Vetter
434a887834 Fix -Wanalyzer-deref-before-check warning in get_message_from_editor
Let's add an explicit check.
2026-02-28 09:55:33 +01:00
Michael Vetter
c24cdcd671 fix: Fix -Wanalyzer-deref-before-check warning in cmd_ac_complete
Adding an explicit NULL check for 'input' at the start of
cmd_ac_complete to prevent a potential crash and resolve
a GCC static analyzer warning.

Quirk Explanation:
The analyzer found  a "deref-before-check" warning for:
`if ((strncmp(input, "/", 1) == 0) && (!strchr(input, ' ')))`

The analyzer interpreted 'strchr(input, ' ')' as a point where the
validity of 'input' is being questioned (a "check"), even though it is
actually checking the return value. This is due to GCC's internal model
of certain standard string functions having a 'nonnull' attribute or
being categorized as pointer "interrogations" in its state machine.

Because 'strncmp' dereferences 'input' earlier in the same line, the
analyzer saw a logical contradiction: "You treat it as safe in strncmp,
but then you call a function (strchr) that 'requires/checks' it to be
safe, implying you weren't sure."
2026-02-28 09:44:27 +01:00
Michael Vetter
4b5c253b89 build: Add -Wpointer-arith flag
Even though we are using with GNU extensions I will add this flag
since I prefer the explicit writing style that we have to use wich
this flag enabled.
2026-02-28 09:29:44 +01:00
Michael Vetter
38624f26a5 Merge pull request #2094 from profanity-im/flags
Let's build with -fanalyzer in debug mode.
These commits are related to issues found by gccs static analyzer.

Also bulid with -fstack-protector-strong compiler flag.
This flag adds a canary to stack frames, causing the program to terminate immediately if stack corruption is detected.

This helps identify memory safety bugs earlier during development by
turning silent corruption into an immediate crash.
2026-02-27 23:15:44 +01:00
Michael Vetter
36b15ec6d5 tests: update unit tests
Not really a best practise. They should have been run before each commit
and updated accordingly. Next time..
2026-02-27 23:01:14 +01:00
Michael Vetter
02cde29b65 cleanup: use g_new() instead of malloc in prof_add_shutdown_routine() 2026-02-27 22:29:45 +01:00
Michael Vetter
051f986774 cleanup: make _connection_handler() safer
Check for the memory before using it.
2026-02-27 22:29:45 +01:00
Michael Vetter
10ef8505f8 cleanup: Cleanup log modul
* _rotate_log_file(): guard against NULL mainlogfile before g_strdup/strlen
* log_stderr_init(): move dup2 after malloc checks to avoid fd leak on
  allocation failure.
  Also remove explicit close(STDERR_FILENO) before dup2
  since dup2 closes the target atomically. Close the fd returned by
  dup2 immediately.
2026-02-27 22:29:45 +01:00
Michael Vetter
35030b7a7e cleanup: use g_new0 instead of malloc in buffer_get_entry_by_id() 2026-02-27 22:29:45 +01:00
Michael Vetter
7876645cb0 cleanup: be a bit more defensive in 2026-02-27 22:29:45 +01:00
Michael Vetter
7b0232c11c wleanup: be a bit more defensive in server_events.c 2026-02-27 22:29:45 +01:00
Michael Vetter
286e563fbe fix: fix redundant error reporting in http download
We were sequentially checking for errors from 'curl_easy_perform',
'ftell', and 'fclose'. Each time overwriting the last one, resulting in
a leak. This commit ensures that 'err' is only set if it is currently
NULL, preserving the first and most specific error encountered.
2026-02-27 22:29:45 +01:00
Michael Vetter
f5787fb31f cleanup: refactor account_eval_password to use glib
Move from popen() to g_spawn_command_line_sync().
Which is nicer and gets rid of a resource leak that was present here.
2026-02-27 22:29:45 +01:00
Michael Vetter
5d31f376dd cleanup: check for strdup() success in stanza_create_http_upload_request() 2026-02-27 22:29:45 +01:00
Michael Vetter
0218ba26c8 fix: fix memory leak and potential crash in iq_id_handler_add
`userdata` was not freed if a handler could not be registered.

This occurs when the 'id' parameter is NULL. In such cases, the
handler cannot be stored in the 'id_handlers' table, but ownership
of 'userdata' has already been transferred to this function. This
commit ensures 'free_func' is called if 'id' is NULL since we always
need to have an ID.
2026-02-27 22:29:45 +01:00
Michael Vetter
e15f659277 fix: Fix NULL dereference and memory leak in _mam_rsm_id_handler
Add NULL checks before calling 'strlen' and also ensures that the string
is long enough before attempting to offset it by 3.
2026-02-27 22:29:45 +01:00
Michael Vetter
776bc262d0 refactor: change vcard_print() checks
data is allocated via g_new0() so cannot be NULL here.
And it was used before the check already so that didn't make any sense
in the first place.
2026-02-27 22:29:45 +01:00
Michael Vetter
1ec536d343 fix: fix api_get_current_occupants() memory problems
Fix a potential NULL pointer dereference. And free the list properly.
2026-02-27 22:29:45 +01:00
Michael Vetter
2406413e14 fix: fix NULL dereference and memory leaks in OX logic
recp elements were accessed without verifying the success of
_ox_key_lookup().

Also fix several memory leaks.

gpgme_data_new() followed 'gpgme_data_new_from_mem' was redundant.
2026-02-27 22:29:42 +01:00
Michael Vetter
16080ab985 cleanup: Fix potential null pointer dereference 2026-02-27 19:45:57 +01:00
Michael Vetter
f74501e97e cleanup: add a defensive check in cmd_process_input() 2026-02-27 19:36:47 +01:00
Michael Vetter
d8a7b234bb fix: segfault when using /command help
Usually we use `/help command`. Additionally there is a shortcut
`/comamnd?`. 54fea4afcf tried to introduce
to have `/command help`. Which doesn't really work since most commands
get this as parameters. So it never worked. Additionally it introduced
at segfault because it tried to set *question_mark to NULL even we can
also get there without the `?` but by having the `help` as parameter.
2026-02-27 19:33:28 +01:00
Michael Vetter
373ec4a7e3 refactor: replace malloc with g_new0 in many occasions 2026-02-27 19:26:42 +01:00
Michael Vetter
de5949e8eb refactor: partly move plugins to glib
That's not very nice yet but we have to start somewhere.
2026-02-27 19:26:42 +01:00
Michael Vetter
20154048e7 refactor: Move pgp module to gchar 2026-02-27 19:26:42 +01:00
Michael Vetter
45dc50eccf fix: initialize OMEMO pointers and add NULL checks 2026-02-27 19:26:42 +01:00
Michael Vetter
55be1de29c cleanup: use g_new0 and g_strdup for alias allocation
And move whole preferences module to gchar.
2026-02-27 19:26:42 +01:00
Michael Vetter
aec8e48268 refactor: modernize cmd_ac_complete_filepath and simplify path handling 2026-02-27 19:26:42 +01:00
Michael Vetter
65ca3c448b fix: handle potential NULL from malloc in OMEMO fingerprint decoding 2026-02-27 19:26:42 +01:00
Michael Vetter
4ee35028e5 cleanup: use g_malloc and auto_gchar in _win_print_wrapped 2026-02-27 19:26:42 +01:00
Michael Vetter
ba5614fb0e cleanup: use auto_FILE and handle fopen failure in command_docgen 2026-02-27 19:26:42 +01:00
Michael Vetter
156b78adfa cleanup: fix potential NULL dereference and leaks in cmd_sendfile
* Add NULL checks for malloc and strdup calls in cmd_sendfile
* Ensure file handles and descriptors are closed on all error paths
2026-02-27 00:02:59 +01:00
Michael Vetter
5711671c99 refactor: roster export uses GString and g_file_set_contents now
Modernize the /export command implementation by adopting GLib-based
patterns for string manipulation and file handling.

* Replace _writecsv with _append_csv_escaped to efficiently handle CSV
  quote doubling directly within a GString buffer
* Refactor cmd_export to build the CSV content in memory using GString,
  minimizing system calls
* Use g_file_set_contents for atomic writing
2026-02-27 00:02:59 +01:00
Michael Vetter
9f3d78a994 refactor: Make _writecsv safer and with better performance
* Cache strlen() result
* Check for malloc() failure to prevent null pointer dereference
* Ensure the output buffer is null-terminated for safe use with cons_show()
* Simplify the quote escaping logic for better readability.
2026-02-27 00:02:52 +01:00
Michael Vetter
3d2a82ad4a cleanup: Fix potential NULL dereference in cmd_omemo_(un)trust
Replace malloc() with g_malloc() to handle allocation failure and
ensure enough memory is allocated for the null terminator.
2026-02-26 19:47:13 +01:00
Michael Vetter
d29fcdbed3 refactor: Use p_contact_new instead of malloc in p_contact_new() 2026-02-26 19:29:43 +01:00
Michael Vetter
48205fc6de cleanup: Initialize waittime to 0
This fixes a -fanalyzer uninitialized value warning.
2026-02-26 19:21:45 +01:00
Michael Vetter
caf84ca731 refactor: use g_new in message_pubsub_event_handler_add() 2026-02-26 19:06:44 +01:00
Michael Vetter
f98e33be81 refactor: make Jid use glib functions 2026-02-26 19:06:44 +01:00
Michael Vetter
abffffb499 refactor: make Resource use glib functions 2026-02-26 19:06:44 +01:00
Michael Vetter
8a36ca6d97 refactor: start to standardize on gchar
Make get_random_string() return a gchar*.

This is part of the effort to migrate string declarations and
allocations from char to gchar, replacing standard C allocators
(malloc/calloc/strdup) with their glib equivalents
(g_malloc/g_new0/g_strdup).

The primary goal is to prevent mismatched allocator bugs. While char and
gchar are binary compatible, mixing their respective deallocators is
dangerous:

* Freeing malloc'd memory with g_free() (or vice versa) can lead to
  memory corruption, double-frees, or crashes.
* This is seems to be the case especiall on non Linux platforms or when
  using hardened memory allocators where the GLib slice allocator or
  wrappers may differ from the system heap.

By standardizing on gchar, we ensure that our automatic cleanup macros
(like auto_gchar) always invoke the correct deallocator (g_free).
2026-02-26 19:06:44 +01:00
Michael Vetter
e1fd2a1cf6 refactor: replace calloc with g_new0 for struct allocations
Migrate structure allocations from calloc to glibs g_new0 macro to
improve type safety and memory robustness.

* Type Safety: The macro takes the type name directly, ensuring the
  allocated size always matches the pointer type.
* Static Analysis: It guarantees a non-NULL return by aborting on
  failure, which silences -fanalyzer warnings regarding potential NULL
  pointer dereferences.
* Readability: Removes redundant sizeof() calls and is the glib way
2026-02-26 19:06:39 +01:00
Michael Vetter
f1d4ed41d6 refactor: Use g_malloc0 instead of calloc in get_random_string()
It automatically aborts the program on allocation failure.
Also eliminates the need for repetitive manual NULL checks.
2026-02-26 16:29:50 +01:00