msearch: harden argument parsing and sqlite row handling

laffer1 · laffer1 · commit 1b657bcbcb2d · 2026-05-01T09:40:48.000-04:00
Validate -l limit parsing, treat library failures as errors, and add NULL checks for sqlite3_column_text() results. Fix owner lookup to use the row uid. Add basic ATF tests for argument handling.

AI-Assisted-by: GPT-5.2 (Codex CLI)
Signed-off-by: Lucas Holt &lt;luke@foolishgames.com&gt;
diff --git a/lib/libmsearch/msearch_fulltext.c b/lib/libmsearch/msearch_fulltext.c
@@ -79,6 +79,13 @@ msearch_fulltext_search(msearch_query *query, msearch_result *result) {
         while (1) {
                 ret = sqlite3_step(stmt);
                 if (ret == SQLITE_ROW) {
+			const unsigned char *path;
+
+			path = sqlite3_column_text(stmt, 0);
+			if (path == NULL) {
+				i = -1;
+				break;
+			}
                         if (i > 0) {
                                 current->next = malloc(sizeof(msearch_result));
                                 if (current->next == NULL) {
@@ -87,12 +94,12 @@ msearch_fulltext_search(msearch_query *query, msearch_result *result) {
                                 }
                                 current = current->next;
                         }
-			current->path = strdup(sqlite3_column_text(stmt, 0));
+			current->path = strdup(path);
 			current->weight = sqlite3_column_double(stmt, 1);
                         current->filename = NULL;
-                        if (lstat(sqlite3_column_text(stmt, 0), &sb) == 0) {
+                        if (lstat(path, &sb) == 0) {
                                 if (S_ISREG(sb.st_mode)) {
-                                        current->filename = strdup(basename((char *) sqlite3_column_text(stmt, 0)));
+                                        current->filename = strdup(basename((char *)path));
                                 }
 				current->size = sb.st_size;
 				current->uid = sb.st_uid;
diff --git a/lib/libmsearch/msearch_search.c b/lib/libmsearch/msearch_search.c
@@ -91,6 +91,13 @@ msearch_search(msearch_query *query, msearch_result *result) {
 	while (1) {
 		ret = sqlite3_step(stmt);
 		if (ret == SQLITE_ROW) {
+			const unsigned char *path;
+
+			path = sqlite3_column_text(stmt, 0);
+			if (path == NULL) {
+				i = -1;
+				break;
+			}
 			if (i > 0) {
 				current->next = malloc(sizeof(msearch_result));
 				if (current->next == NULL) {
@@ -100,14 +107,15 @@ msearch_search(msearch_query *query, msearch_result *result) {
 				current = current->next;
 			}
 			current->filename = NULL;
-			if (lstat(sqlite3_column_text(stmt, 0), &sb) == 0) {
+			if (lstat(path, &sb) == 0) {
 				if (S_ISREG(sb.st_mode)) {
-					current->filename = strdup(basename((char *)sqlite3_column_text(stmt, 0)));
+					current->filename = strdup(basename((char *)path));
 				}
 			}
-			current->path = strdup(sqlite3_column_text(stmt, 0));
+			current->path = strdup(path);
 			current->size = sqlite3_column_int64(stmt, 1);
 			current->uid = sqlite3_column_int(stmt, 2);
+			uid = current->uid;
 			if ((getpwuid_r(uid, &pwd, buf, sizeof(buf), &pwdbuf)) == 0 && pwdbuf != NULL) {
 				current->owner = strdup(pwdbuf->pw_name);				
 			} else
diff --git a/usr.bin/msearch/Makefile b/usr.bin/msearch/Makefile
@@ -1,3 +1,5 @@
+.include <src.opts.mk>
+
 PROG=	msearch
 
 CFLAGS+= -I${.CURDIR}/../../lib/libsearch
@@ -6,4 +8,9 @@ CSTD=	c99
 
 LIBADD+=	msearch sqlite3 z
 
+.if ${MK_TESTS} != "no"
+HAS_TESTS=
+SUBDIR+= tests
+.endif
+
 .include <bsd.prog.mk>
diff --git a/usr.bin/msearch/msearch.c b/usr.bin/msearch/msearch.c
@@ -30,6 +30,8 @@
 #include <stdlib.h>
 #include <string.h>
 #include <err.h>
+#include <errno.h>
+#include <limits.h>
 #include <unistd.h>
 #include <msearch.h>
 
@@ -55,8 +57,18 @@ main(int argc, char *argv[]) {
 				cflag = 1;
 				break;
 			case 'l':
-				limit = (int)strtol(optarg, (char **)NULL, 10);
+			{
+				char *endp;
+				long llimit;
+
+				errno = 0;
+				llimit = strtol(optarg, &endp, 10);
+				if (errno != 0 || endp == optarg || *endp != '\0' ||
+				    llimit < 0 || llimit > INT_MAX)
+					errx(1, "invalid limit: %s", optarg);
+				limit = (int)llimit;
 				break;
+			}
 			case 'r':
 				rflag = 1;
 				break;
@@ -79,7 +91,7 @@ main(int argc, char *argv[]) {
 		err(1, NULL);
 	}
 
-	if ((query = malloc(sizeof(msearch_query))) == NULL) {
+	if ((query = calloc(1, sizeof(*query))) == NULL) {
 		err(1, NULL);
 	}
 
@@ -92,6 +104,8 @@ main(int argc, char *argv[]) {
 	query->limit = limit;
 
 	results = msearch(query, result);
+	if (results < 0)
+		errx(1, "msearch failed");
 
 	if (cflag) {
 		printf("%d\n", results);
diff --git a/usr.bin/msearch/tests/Makefile b/usr.bin/msearch/tests/Makefile
@@ -0,0 +1,5 @@
+
+ATF_TESTS_SH=	msearch_test
+
+.include <bsd.test.mk>
+
diff --git a/usr.bin/msearch/tests/msearch_test.sh b/usr.bin/msearch/tests/msearch_test.sh
@@ -0,0 +1,31 @@
+#
+# Basic regression tests for msearch(1) argument handling.
+#
+
+atf_test_case usage_no_args
+usage_no_args_body()
+{
+	MSEARCH_BIN="$(ls /usr/obj/usr/src/*/usr.bin/msearch/msearch 2>/dev/null | head -n 1)"
+	if [ -z "${MSEARCH_BIN}" ] || [ ! -x "${MSEARCH_BIN}" ]; then
+		MSEARCH_BIN="msearch"
+	fi
+	atf_check -s exit:1 -e match:"^usage: msearch" "${MSEARCH_BIN}"
+}
+
+atf_test_case invalid_limit_rejected
+invalid_limit_rejected_body()
+{
+	MSEARCH_BIN="$(ls /usr/obj/usr/src/*/usr.bin/msearch/msearch 2>/dev/null | head -n 1)"
+	if [ -z "${MSEARCH_BIN}" ] || [ ! -x "${MSEARCH_BIN}" ]; then
+		MSEARCH_BIN="msearch"
+	fi
+	atf_check -s exit:1 -e match:"invalid limit" "${MSEARCH_BIN}" -l notanint foo
+	atf_check -s exit:1 -e match:"invalid limit" "${MSEARCH_BIN}" -l -1 foo
+	atf_check -s exit:1 -e match:"invalid limit" "${MSEARCH_BIN}" -l 999999999999999999999 foo
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case usage_no_args
+	atf_add_test_case invalid_limit_rejected
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
++
 +ATF_TESTS_SH=	msearch_test
++
 +.include <bsd.test.mk>
++