From d271bc3d0a22f2aaa769fc10a17ec8d5963e8506 Mon Sep 17 00:00:00 2001 From: pancake Date: Sun, 18 Jan 2026 11:20:50 +0100 Subject: [PATCH 1/2] Dont use strcat and other unsafe string ops --- src/array.c | 22 ++++++++++------------ src/json.c | 7 +++---- src/lock.c | 8 +------- src/query.c | 2 +- 4 files changed, 15 insertions(+), 24 deletions(-) diff --git a/src/array.c b/src/array.c index 182667bc..7fc39a08 100644 --- a/src/array.c +++ b/src/array.c @@ -183,10 +183,10 @@ SDB_API int sdb_array_insert(Sdb *s, const char *key, int idx, const char *val, ptr = (char *)Aindexof (nstr, idx); if (ptr) { int lptr = (nstr + lstr + 1) - ptr; - char *p_1 = ptr > nstr? ptr - 1: ptr; - *p_1 = 0; - lnstr = ptr - nstr - 1; - if (lnstr < 0) { + if (ptr > nstr) { + ptr[-1] = 0; + lnstr = ptr - nstr - 1; + } else { lnstr = 0; } memcpy (x, nstr, lnstr); @@ -282,13 +282,11 @@ SDB_API int sdb_array_add_sorted(Sdb *s, const char *key, const char *val, ut32 if (str_lp < str_e) { memcpy (nstr_p, str_lp, str_e - str_lp); nstr_p += str_e - str_lp; - *(nstr_p) = '\0'; + *nstr_p = '\0'; + } else if (nstr_p != nstr) { + *--nstr_p = '\0'; } else { - if (nstr_p > nstr) { - *(--nstr_p) = '\0'; - } else { - *nstr_p = '\0'; - } + *nstr_p = '\0'; } sdb_set_owned (s, key, nstr, cas); sdb_gh_free (vals); @@ -389,13 +387,13 @@ SDB_API int sdb_array_set(Sdb *s, const char *key, int idx, const char *val, return false; } ptr = nstr + diff; - //memcpy (nstr, str, lstr+1); memcpy (nstr, str, diff); memcpy (ptr, val, lval + 1); usr = Aindexof (str, idx + 1); if (usr) { + size_t usr_len = (str + lstr + 1) - usr; ptr[lval] = SDB_RS; - strcpy (ptr + lval + 1, usr); + memcpy (ptr + lval + 1, usr, usr_len); } int ret = sdb_set (s, key, nstr, cas); sdb_gh_free (nstr); diff --git a/src/json.c b/src/json.c index edb5741a..d41d9566 100644 --- a/src/json.c +++ b/src/json.c @@ -150,15 +150,14 @@ SDB_API bool sdb_json_set(Sdb *s, const char *k, const char *p, const char *v, u size_t buf_len = jslen + strlen (p) + strlen (v) + 7; char *buf = (char *)sdb_gh_malloc (buf_len); if (buf) { - int curlen, is_str = isstring (v); + int is_str = isstring (v); const char *quote = is_str ? "\"" : ""; const char *comma = ""; // XX: or comma if (js[0] && js[1] != '}') { comma = ","; } - curlen = snprintf (buf, buf_len, "{\"%s\":%s%s%s%s", - p, quote, v, quote, comma); - strcpy (buf + curlen, js + 1); + snprintf (buf, buf_len, "{\"%s\":%s%s%s%s%s", + p, quote, v, quote, comma, js + 1); // transfer ownership sdb_set_owned (s, k, buf, cas); return true; diff --git a/src/lock.c b/src/lock.c index 7158f229..180a85d9 100644 --- a/src/lock.c +++ b/src/lock.c @@ -4,16 +4,10 @@ #include "sdb/sdb.h" SDB_API bool sdb_lock_file(const char *f, char *buf, size_t buf_size) { - size_t len; if (!f || !*f || !buf || !buf_size) { return false; } - len = strlen (f); - if (len + 10 > buf_size) { - return false; - } - memcpy (buf, f, len); - strcpy (buf + len, ".lock"); + snprintf (buf, buf_size, "%s.lock", f); return true; } diff --git a/src/query.c b/src/query.c index d3f81285..14b37eb6 100644 --- a/src/query.c +++ b/src/query.c @@ -213,7 +213,7 @@ SDB_API char *sdb_querys(Sdb *r, char *buf, size_t len, const char *_cmd) { next_quote: quot = (char *)strchr (quot, '"'); if (quot) { - if (quot > val && *(quot - 1) == '\\') { + if (quot != val && *(quot - 1) == '\\') { memmove (quot - 1, quot, strlen (quot) + 1); goto next_quote; } From 87c0a7ad135759d4ad074f308ed46fcca60ef60a Mon Sep 17 00:00:00 2001 From: pancake Date: Sun, 18 Jan 2026 11:38:15 +0100 Subject: [PATCH 2/2] fi --- src/array.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/array.c b/src/array.c index 7fc39a08..96fdcad7 100644 --- a/src/array.c +++ b/src/array.c @@ -359,7 +359,6 @@ SDB_API int sdb_array_set(Sdb *s, const char *key, int idx, const char *val, } // XXX: should we cache sdb_alen value inside kv? len = sdb_alen (str); - lstr--; if (idx < 0 || idx == len) { // append return sdb_array_insert (s, key, -1, val, cas); } @@ -394,6 +393,8 @@ SDB_API int sdb_array_set(Sdb *s, const char *key, int idx, const char *val, size_t usr_len = (str + lstr + 1) - usr; ptr[lval] = SDB_RS; memcpy (ptr + lval + 1, usr, usr_len); + } else { + nstr[diff + lval] = '\0'; } int ret = sdb_set (s, key, nstr, cas); sdb_gh_free (nstr);