Fix remaining memory and buffer issues

- Use memcpy with pointer arithmetic for safe string concatenation - Track and free allocated strings in spawn error path - Properly account for null terminator in all buffer operations - Eliminate potential buffer overflows from strncat edge cases Co-authored-by: squassina <8495707+squassina@users.noreply.github.com>
2026-06-29 13:14:48 -04:00 · 2026-02-18 09:03:32 +00:00 · 2026-02-18 09:03:32 +00:00 · 969c68b66d
commit 969c68b66d
parent 5d145cc80f
2 changed files with 22 additions and 14 deletions
--- a/src/config/parse_config.h
+++ b/src/config/parse_config.h
@ -591,27 +591,29 @@ static char *combine_args_until_empty(char *values[], int count) {
 	// 	plus the number of commas (first_empty-1 commas)
 	total_len += (first_empty - 1);

-	// 	allocate memory and concatenate
+	// allocate memory and concatenate safely
 	char *combined = malloc(total_len + 1);
 	if (combined == NULL) {
 		return strdup("");
 	}

-	combined[0] = '\0';
-	size_t current_len = 0;
+	char *ptr = combined;
+	size_t remaining = total_len + 1; // Include space for null terminator
+	
 	for (int i = 0; i < first_empty; i++) {
-		if (i > 0 && current_len < total_len) {
-			strncat(combined, ",", total_len - current_len);
-			current_len++;
+		if (i > 0 && remaining > 1) {
+			*ptr++ = ',';
+			remaining--;
 		}
-		if (current_len < total_len) {
-			size_t remaining = total_len - current_len;
+		if (remaining > 1) {
 			size_t val_len = strlen(values[i]);
-			size_t will_add = (val_len < remaining) ? val_len : remaining;
-			strncat(combined, values[i], remaining);
-			current_len += will_add;
+			size_t to_copy = (val_len < remaining - 1) ? val_len : remaining - 1;
+			memcpy(ptr, values[i], to_copy);
+			ptr += to_copy;
+			remaining -= to_copy;
 		}
 	}
+	*ptr = '\0'; // Null terminate

 	return combined;
 }