Fix memory leaks, access bugs, use-before-initialization bugs

src/controller/api/status.c

@@ -137,6 +137,7 @@ bool handle_post( struct http_request* req, struct account* a )
 
 		char* url = aformat( "https://%s/media/%d/blob", g_server_name, m->id );
 		array_append( &s->media, sizeof(url), &url );
+		media_free(m);
 	}
 
 	if( params.in_reply_to_id ) {
@@ -177,6 +178,7 @@ cleanup:
 	for( int i = 0; i < params.media_ids.count; ++i ) {
 		free( params.media_ids.items[i] );
 	}
+	free( params.media_ids.items);
 	status_free(s);
 	return result;
 failed:

src/controller/api/timeline.c

@@ -11,6 +11,8 @@
 // Controller
 #include "controller/api/status.h"
 
+#include <string.h>
+
 bool handle_timeline( struct http_request* req, int timeline_id )
 {
 	struct params_t {
@@ -43,7 +45,7 @@ bool handle_timeline( struct http_request* req, int timeline_id )
 		http_query_parse( req, fields, &params );
 	}
 
-	if( params.limit > 32 ) { params.limit = 32; }
+	if( params.limit > 100 ) { params.limit = 100; }
 
 	struct timeline* tl = timeline_from_id( timeline_id );
 	if( !tl ) {
@@ -54,6 +56,7 @@ bool handle_timeline( struct http_request* req, int timeline_id )
 	}
 
 	struct status* ss[params.limit];
+	memset(ss,0,sizeof(ss));
 
 	struct status* items[params.limit];
 	struct {
@@ -84,6 +87,7 @@ load_statuses:
 		show.count += 1;
 		if( 0 ) {
 			filtered:
+			status_free(s);
 			//printf( "Filtered out %d\n", s->id );
 		}
 	}
@@ -101,8 +105,8 @@ load_statuses:
 done:
 	show_statuses( req, show.items, show.count );
 
-	for( int i = 0; i < count; ++i ) {
-		status_free( ss[i] );
+	for( int i = 0; i < show.count; ++i ) {
+		status_free( show.items[i] );
 	}
 
 	timeline_free(tl);

src/controller/main.c

@@ -42,7 +42,7 @@ const char* mime_type_for_filename( const char* filename )
 
 	for( int i = 0; extensions[i].extension; ++i ) {
 		int s = strlen( extensions[i].extension );
-		if( 0 == strcmp( extensions[i].extension, &filename[len-s] ) ) {
+		if( ( len - s >= 0 ) && ( 0 == strcmp( extensions[i].extension, &filename[len-s] ) ) ) {
 			return extensions[i].mime_type;
 		}
 	}
@@ -131,6 +131,7 @@ bool route_media( struct http_request* req )
 	// Route: /media/%d{id}/
 	int id = -1;
 	if( 1 != sscanf( id_str, "%d", &id ) ) { return false; }
+	free(id_str);
 
 	struct media* m = media_from_id( id );
 	if( !m ) { return false; }

src/controller/owner.c

@@ -30,6 +30,8 @@ static bool handle_featured( struct http_request* req )
 	FILE* f = http_request_get_response_body(req);
 	#include "src/view/owner/featured.json.inc"
 
+	account_free( owner_account );
+
 	return true;
 }
 static bool handle_followers( struct http_request* req )

src/controller/webfinger.c

@@ -3,16 +3,18 @@
 #include "http/server/request.h"
 
 #include <string.h>
+#include <stdlib.h>
 
 bool route_wellknown_webfinger( struct http_request* req )
 {
 	// /.well-known/webfinger?resource=acct:teknomunk@apogee.polaris-1.work
 	const char* key;
 	char* resource;
+	char* resource_orig;
 
 	while( key = http_request_route_query_key( req ) ) {
 		if( 0 == strcmp(key,"resource") ) {
-			resource = strdup(http_request_route_query_value(req) );
+			resource_orig = resource = strdup(http_request_route_query_value(req) );
 		} else {
 			http_request_route_query_value(req);
 		}
@@ -31,6 +33,8 @@ bool route_wellknown_webfinger( struct http_request* req )
 		#include "src/view/webfinger.json.inc"
 	#undef RENDER
 
+	free(resource_orig);
+
 	return true;
 }
 

src/ffdb

@@ -1 +1 @@
-Subproject commit ee80be2064a0399b9501dbb1ecd22d120c067a66
+Subproject commit 1ff6bad820c11291302efb084992b719e27b1c52

src/http

@@ -1 +1 @@
-Subproject commit 51831f744cba7ebc198e2e201689bcf9b3239c54
+Subproject commit febaf3e449be61fd285dbe8b410b1fbfbdde9e6a

src/model/account.c

@@ -575,6 +575,7 @@ void account_deliver_activity_to_followers( struct account* a, struct ap_activit
 		printf( "keys.count = %d\n", keys.count );
 		for( int j = 0; j < keys.count; ++j ) {
 			int account_id = atoi(keys.items[j]);
+			free(keys.items[j]);
 			printf( "account_id = %d\n", account_id );
 			struct account* follower_account = account_from_id(account_id);
 			account_deliver_activity( follower_account, act, oel );

src/model/ap/account.c

@@ -119,17 +119,26 @@ void ap_account_free( struct ap_account* acc )
 
 	free(acc->id);
 	free(acc->url);
+
 	free(acc->name);
 	free(acc->preferredUsername);
 	free(acc->inbox);
+	free(acc->shared_inbox);
 	free(acc->outbox);
+
 	free(acc->featured);
 	free(acc->followers);
 	free(acc->following);
+
 	free(acc->avatar);
 	free(acc->banner);
+
 	free(acc->summary);
 
+	free(acc->public_key.id);
+	free(acc->public_key.owner);
+	free(acc->public_key.pem);
+
 	free(acc);
 }
 void ap_account_debug_dump( struct ap_account* acc )

src/model/ap/activity.c

@@ -120,30 +120,35 @@ void ap_activity_free_composite( struct ap_activity* act )
 {
 	free(act->id);
 	free(act->actor);
+
 	free(act->context);
+
 	free(act->attributed_to);
 	free(act->target);
+	free(act->in_reply_to);
+
 	free(act->content.content);
 	free(act->source.content);
+
 	free(act->conversation);
+
 	free(act->summary);
-	free(act->in_reply_to);
 
 	for( int i = 0; i < act->tags.count; ++i ) {
 		ap_activity_tag_free(act->tags.items[i]);
 	}
 	free(act->tags.items);
 
-	for( int i = 0; i < act->also_known_as.count; ++i ) {
-		free( act->also_known_as.items[i] );
-	}
-	free(act->also_known_as.items);
-
 	for( int i = 0; i < act->attachments.count; ++i ) {
 		ap_attachement_free( act->attachments.items[i] );
 	}
 	free( act->attachments.items );
 
+	for( int i = 0; i < act->also_known_as.count; ++i ) {
+		free( act->also_known_as.items[i] );
+	}
+	free(act->also_known_as.items);
+
 	for( int i = 0; i < act->to.count; ++i ) {
 		free(act->to.items[i]);
 	}
@@ -159,6 +164,8 @@ void ap_activity_free_composite( struct ap_activity* act )
 	}
 	free(act->bcc.items);
 
+	free( act->state );
+
 	switch( act->object.tag ) {
 		case apaot_ref:
 			free( act->object.ref );
@@ -168,7 +175,6 @@ void ap_activity_free_composite( struct ap_activity* act )
 			act->object.ptr = 0;
 			break;
 	};
-	free( act->state );
 
 	free( act->signature.creator );
 	free( act->signature.value );
@@ -395,6 +401,7 @@ struct ap_activity* ap_activity_create_note( struct status* s )
 
 			array_append( &act->attachments, sizeof(att), &att );
 		}
+		media_free(m);
 	}
 
 	for( int i = 0; i < s->emoji.count; ++i ) {
@@ -405,7 +412,6 @@ struct ap_activity* ap_activity_create_note( struct status* s )
 		memset(tag,0,sizeof(*tag));
 
 		tag->type = aptag_emoji;
-		tag->updated = time(NULL);
 		tag->icon.url = strdup(e->url);
 		tag->id = strdup(e->url);
 		tag->icon.type = apot_image;

src/model/ap/activity/tag.c

@@ -50,7 +50,9 @@ void ap_activity_tag_free( struct ap_activity_tag* tag )
 
 	free(tag->href);
 	free(tag->name);
+	free(tag->id);
 	free(tag->icon.url);
+
 	memset(tag,0,sizeof(*tag));
 	free(tag);
 }

src/model/ap/outbox_envelope.c

@@ -103,7 +103,7 @@ void outbox_envelope_list_save( struct outbox_envelope_list* oel )
 void outbox_envelope_list_free_composite( struct outbox_envelope_list* oel )
 {
 	for( int i = 0; i < oel->count; ++i ) {
-		free(oel->items[i]);
+		outbox_envelope_free(oel->items[i]);
 	}
 	free(oel->items);
 }

src/model/emoji.c

@@ -8,6 +8,7 @@
 #include <dirent.h>
 #include <string.h>
 #include <stdlib.h>
+#include <libgen.h>
 
 #define OBJ_TYPE struct emoji
 struct json_object_field emoji_layout[] = {
@@ -38,18 +39,17 @@ char* filename_for_shortcode( const char* shortcode )
 
 struct emoji* emoji_from_shortcode( const char* shortcode )
 {
-	/* check for existence of emoji */ {
-		char* filename = filename_for_shortcode( shortcode );
-		if( !filename ) { return NULL; }
-		free(filename);
-	}
+	// check for existence of emoji
+	char* filename = filename_for_shortcode( shortcode );
+	if( !filename ) { return NULL; }
 
 	struct emoji* e;
 	e = malloc(sizeof(*e));
 	memset(e,0,sizeof(*e));
 
 	e->shortcode = strdup(shortcode);
-	e->url = aformat( "https://%s/emoji/%s", g_server_name, shortcode );
+	e->url = aformat( "https://%s/emoji/%s/%s", g_server_name, shortcode, basename(filename) );
+	free(filename);
 
 	return e;
 }

src/model/status.c

@@ -488,6 +488,7 @@ void status_free( struct status* s )
 	if( !s ) { return; }
 
 	free(s->url);
+
 	free(s->content);
 	free(s->source);
 
@@ -504,10 +505,15 @@ void status_free( struct status* s )
 	free(s->reacts.items);
 
 	free(s->likes.items);
-	free(s->reposts.items);
+	free(s->replies.items);
 	free(s->reposts.items);
 	free(s->mentions.items);
 
+	for( int i = 0; i < s->emoji.count; ++i ) {
+		emoji_free( s->emoji.items[i] );
+	}
+	free(s->emoji.items);
+
 	free(s);
 }
 struct async_status_fetch
@@ -574,6 +580,7 @@ void status_make_reply_to( struct status* s, int in_reply_to_id )
 
 		status_save(in_reply_to);
 	}
+	status_free(in_reply_to);
 }
 void status_get_context( struct status* s, void* ancestors_ptr, void* replies_ptr )
 {

src/model/status.h

@@ -16,7 +16,7 @@ struct status
 	bool stub;
 	bool remote;
 
-	char* content; // Deprecate from file system data and render when loading
+	char* content;
 	char* source;
 	bool sensitive;
 	bool pinned;

src/model/status/render.c

@@ -99,6 +99,8 @@ char* status_render_source( struct status* s )
 			// Ignore
 		}
 
+		if( !*i ) { break; }
+
 		fputc( *i, f );
 	}
 

src/model/webfinger.c

@@ -29,6 +29,7 @@ void link_free( struct link* l )
 	free(l->href);
 	free(l->type);
 	free(l->rel);
+	free(l);
 }
 JSON_FIELD_TYPE_OBJECT_LAYOUT_WITH_DEFAULTS( link );
 struct result
@@ -63,6 +64,7 @@ char* webfinger_query( const char* handle, const char* rel, const char* type )
 	printf( "* Fetching %s\n", uri );
 	char tmp_filename[512];
 	FILE* f = fopen(format(tmp_filename,512,"%s.tmp",filename),"w");
+	if( !f ) { return NULL; }
 
 	long status_code = -1;
 	const void* request[] = {
@@ -71,18 +73,18 @@ char* webfinger_query( const char* handle, const char* rel, const char* type )
 		HTTP_REQ_RESULT_STATUS, &status_code,
 		NULL,
 	};
+
 	if( !http_client_do( request ) ) {
 		printf( "! Unable to fetch %s\n", uri );
 		fclose(f);
 		return NULL;
 	}
+	fclose(f);
 
 	printf( "status_code = %d\n", status_code );
 	if( status_code != 200 ) {
-		fclose(f);
 		return NULL;
 	}
-	fclose(f);
 	rename(tmp_filename,filename);
 
 	// Get the href value requested