nzbgetcom · dnzbk · Apr 29, 2025 · Apr 28, 2025
diff --git a/cmake/posix.cmake b/cmake/posix.cmake
@@ -1,6 +1,7 @@
 option(ENABLE_STATIC "Build static executable")
 option(ENABLE_TESTS "Build tests")
 option(ENABLE_CLANG_TIDY "Enable Clang-Tidy static analizer")
+option(ENABLE_SANITIZERS "Enable leak, undefined, address sanitizers")
 option(DISABLE_TLS "Disable TLS")
 option(DISABLE_CURSES "Disable curses")
 option(DISABLE_GZIP "Disable gzip"
10000
;)
@@ -10,13 +11,14 @@ message(STATUS "TOOLCHAIN OPTIONS:")
 message(STATUS "  SYSTEM NAME      ${CMAKE_SYSTEM_NAME}")
 message(STATUS "  SYSTEM PROCESSOR ${CMAKE_SYSTEM_PROCESSOR}")
 message(STATUS "BUILD OPTIONS:")
-message(STATUS "  BUILD TYPE:       ${CMAKE_BUILD_TYPE}")
-message(STATUS "  ENABLE STATIC:    ${ENABLE_STATIC}")
-message(STATUS "  ENABLE TESTS:     ${ENABLE_TESTS}")
-message(STATUS "  DISABLE TLS:      ${DISABLE_TLS}")
-message(STATUS "  DISABLE CURSES:   ${DISABLE_CURSES}")
-message(STATUS "  DISABLE GZIP:     ${DISABLE_GZIP}")
-message(STATUS "  DISABLE PARCHECK: ${DISABLE_PARCHECK}")
+
+message(STATUS "  BUILD TYPE:        ${CMAKE_BUILD_TYPE}")
+message(STATUS "  ENABLE STATIC:     ${ENABLE_STATIC}")
+message(STATUS "  ENABLE TESTS:      ${ENABLE_TESTS}")
+message(STATUS "  ENABLE SANITIZERS: ${ENABLE_SANITIZERS}")
+message(STATUS "  DISABLE CURSES:    ${DISABLE_CURSES}")
+message(STATUS "  DISABLE GZIP:      ${DISABLE_GZIP}")
+message(STATUS "  DISABLE PARCHECK:  ${DISABLE_PARCHECK}")
 
 if(APPLE)
 	# On macOS Cmake, when cross-compiling, sometimes CMAKE_SYSTEM_PROCESSOR wrongfully stays
@@ -45,6 +47,12 @@ if(ENABLE_CLANG_TIDY)
 	set(CMAKE_CXX_CLANG_TIDY clang-tidy -checks=-*,readability-*)
 endif()
 
+if(ENABLE_SANITIZERS)
+	set(SANITIZERS_OPTION "-fsanitize=leak,undefined,address")
+	target_compile_options(${PACKAGE} PRIVATE ${SANITIZERS_OPTION})
+	target_link_options(${PACKAGE} PRIVATE ${SANITIZERS_OPTION})
+endif()
+
 if(ENABLE_STATIC)
 	# due to the error "ld: library not found for -crt0.o" when using Apple Clang with "-static"
 	if(NOT CMAKE_CXX_COMPILER_ID STREQUAL "AppleClang")

diff --git a/daemon/connect/HttpClient.cpp b/daemon/connect/HttpClient.cpp
@@ -1,7 +1,7 @@
 /*
  *  This file is part of nzbget. See <https://nzbget.com>.
  *
- *  Copyright (C) 2024 Denis <denis@nzbget.com>
+ *  Copyright (C) 2024-2025 Denis <denis@nzbget.com>
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -106,7 +106,7 @@ namespace Network
 		}
 
 		auto bodyBuf = buf.data();
-		std::string body(asio::buffers_begin(bodyBuf), asio::buffers_begin(bodyBuf) + bodyBuf.size());
+		std::string body(asio::buffers_begin(bodyBuf), asio::buffers_end(bodyBuf));
 		Util::Trim(body);
 
 		return body;

diff --git a/daemon/connect/HttpClient.h b/daemon/connect/HttpClient.h
@@ -1,7 +1,7 @@
 /*
  *  This file is part of nzbget. See <https://nzbget.com>.
  *
- *  Copyright (C) 2024 Denis <denis@nzbget.com>
+ *  Copyright (C) 2024-2025 Denis <denis@nzbget.com>
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -47,6 +47,12 @@ namespace Network
 		unsigned statusCode;
 	};
 
+	/**
+	 * @todo Refactor this class into two separate classes: HttpClient and Connection/Session. This separation will enable:
+	 *       - Reusing the Connection/Session for multiple requests.
+	 *       - Replacing the current platform-specific TlsSocket and Connection implementations with a cross-platform solution in the future.
+	 *       - Ensure avoiding blocking IO operations.
+	 */
 	class HttpClient final
 	{
 	public:

diff --git a/daemon/frontend/NCursesFrontend.cpp b/daemon/frontend/NCursesFrontend.cpp
@@ -3,7 +3,7 @@
  *
  *  Copyright (C) 2004 Sven Henkel <sidddy@users.sourceforge.net>
  *  Copyright (C) 2007-2019 Andrey Prygunkov <hugbug@users.sourceforge.net>
- *  Copyright (C) 2024 Denis <denis@nzbget.com>
+ *  Copyright (C) 2024-2025 Denis <denis@nzbget.com>
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -355,17 +355,19 @@ int NCursesFrontend::CalcQueueSize()
 
 #ifndef WIN32
 
-void NCursesFrontend::PlotLine(const char * string, int row, int pos, int colorPair)
+void NCursesFrontend::PlotLine(const char* str, int row, int pos, int colorPair)
 {
-	std::string buffer(m_screenWidth + 1, '\0');
-	snprintf(buffer.data(), buffer.size(), "%-*s", m_screenWidth, string);
+	size_t size = Util::SafeIntCast<int, size_t>(m_screenWidth + 1);
+	std::string buffer(size, '\0');
+	snprintf(buffer.data(), size, "%-*s", m_screenWidth, str);
 
-	if (Util::CmpGreater(buffer.size(), m_screenWidth - pos) && m_screenWidth - pos < MAX_SCREEN_WIDTH)
+	if (Util::CmpGreater(size, m_screenWidth - pos) && m_screenWidth - pos < MAX_SCREEN_WIDTH)
 	{
-		buffer[m_screenWidth - pos] = '\0';
+		size = Util::SafeIntCast<int, size_t>(m_screenWidth - pos);
+		buffer.resize(size);
 	}
 
-	PlotText(buffer.data(), row, pos, colorPair, false);
+	PlotText(buffer.c_str(), row, pos, colorPair, false);
 }
 
 void NCursesFrontend::PlotText(const char * string, int row, int pos, int colorPair, bool blink)
@@ -391,25 +393,26 @@ void NCursesFrontend::PlotTex
6D4E
t(const char * string, int row, int pos, int colorP
 
 #else
 
-void NCursesFrontend::PlotLine(const char * str, int row, int pos, int colorPair)
+void NCursesFrontend::PlotLine(const char* str, int row, int pos, int colorPair)
 {
 	auto res = Utf8::Utf8ToWide(str);
-	if (!res.has_value())
+	if (!res)
 	{
 		warn("Failed to convert %s to wide string", str);
 		return;
 	}
 
-	std::wstring wstr = std::move(res.value());
-	std::wstring buffer(m_screenWidth + 1, '\0');
-	swprintf(buffer.data(), buffer.size(), L"%-*s", m_screenWidth, wstr.c_str());
+	size_t size = Util::SafeIntCast<int, size_t>(m_screenWidth + 1);
+	std::wstring buffer(size, L'\0');
+	swprintf(buffer.data(), size, L"%-*s", m_screenWidth, res->c_str());
 
-	if (Util::CmpGreater(buffer.size(), m_screenWidth - pos) && m_screenWidth - pos < MAX_SCREEN_WIDTH)
+	if (Util::CmpGreater(size, m_screenWidth - pos) && m_screenWidth - pos < MAX_SCREEN_WIDTH)
 	{
-		buffer[m_screenWidth - pos] = '\0';
+		size = Util::SafeIntCast<int, size_t>(m_screenWidth - pos);
+		buffer.resize(size);
 	}
 
-	PlotText(buffer.data(), row, pos, colorPair, false);
+	PlotText(buffer.c_str(), row, pos, colorPair, false);
 }
 
 void NCursesFrontend::PlotText(const wchar_t* wstr, int row, int pos, int colorPair, bool blink)

diff --git a/daemon/nntp/ArticleWriter.cpp b/daemon/nntp/ArticleWriter.cpp
@@ -587,12 +587,12 @@ void ArticleWriter::CompleteFileParts()
 	}
 }
 
-void ArticleWriter::RenameOutputFile(std::string_view filename, std::string_view destDir)
+void ArticleWriter::RenameOutputFile(const std::string& filename, const std::string& destDir)
 {
 	if (filename == m_fileInfo->GetFilename())
 		return;
 
-	std::string ofn = FileSystem::MakeUniqueFilename(destDir.data(), m_fileInfo->GetFilename()).Str();
+	std::string ofn = FileSystem::MakeUniqueFilename(destDir.c_str(), m_fileInfo->GetFilename()).Str();
 	if (!FileSystem::MoveFile(m_outputFilename.c_str(), ofn.c_str()))
 	{
 		m_fileInfo->GetNzbInfo()->PrintMessage(Message::mkError,

diff --git a/daemon/nntp/ArticleWriter.h b/daemon/nntp/ArticleWriter.h
@@ -23,7 +23,7 @@
 #define ARTICLEWRITER_H
 
 #include <atomic>
-#include <string_view>
+#include <string>
 #include "NString.h"
 #include "DownloadInfo.h"
 #include "Decoder.h"
@@ -77,7 +77,7 @@ class ArticleWriter
 	 * @param filename The desired final filename (without path).
 	 * @param destDir  The destination directory for the file.
 	 */
-	void RenameOutputFile(std::string_view filename, std::string_view destDir);
+	void RenameOutputFile(const std::string& filename, const std::string& destDir);
 
 	FileInfo* m_fileInfo;
 	ArticleInfo* m_articleInfo;

diff --git a/daemon/postprocess/Unpack.cpp b/daemon/postprocess/Unpack.cpp
@@ -2,7 +2,7 @@
  *  This file is part of nzbget. See <https://nzbget.com>.
  *
  *  Copyright (C) 2013-2018 Andrey Prygunkov <hugbug@users.sourceforge.net>
- *  Copyright (C) 2023-2024 Denis <denis@nzbget.com>
+ *  Copyright (C) 2023-2025 Denis <denis@nzbget.com>
  * 
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -650,11 +650,10 @@ void UnpackController::CheckArchiveFiles()
 
 			if (regExRar.Match(filename))
 			{
+				const auto begin = m_postInfo->GetExtractedArchives()->cbegin();
+				const auto end = m_postInfo->GetExtractedArchives()->cend();
 				m_hasRarFiles = true;
-				m_hasNotUnpackedRarFiles |= std::find(
-					m_postInfo->GetExtractedArchives()->begin(),
-					m_postInfo->GetExtractedArchives()->end(),
-					filename) == m_postInfo->GetExtractedArchives()->end();
+				m_hasNotUnpackedRarFiles |= std::find(begin, end, filename) == end;
 			}
 			else if (regExSevenZip.Match(filename))
 			{
@@ -683,7 +682,7 @@ bool UnpackController::FileHasRarSignature(const char* filename)
 	char rar4Signature[] = { 0x52, 0x61, 0x72, 0x21, 0x1A, 0x07, 0x00 };
 	char rar5Signature[] = { 0x52, 0x61, 0x72, 0x21, 0x1A, 0x07, 0x01, 0x00 };
 
-	char fileSignature[8];
+	char fileSignature[8]{};
 
 	int cnt = 0;
 	DiskFile infile;
@@ -874,7 +873,7 @@ void UnpackController::AddMessage(Message::EKind kind, const char* text)
 		m_postInfo->GetNzbInfo()->AddMessage(kind, msgText);
 	}
 
-	if (m_postInfo && m_unpacker == upUnrar && !strncmp(msgText, "Unrar: UNRAR ", 6) &&
+	if (m_postInfo && m_unpacker == upUnrar && !strncmp(msgText, "Unrar: UNRAR ", 13) &&
 		strstr(msgText, " Copyright ") && strstr(msgText, " Alexander Roshal"))
 	{
 		// reset start time for a case if user uses unpack-script to do some things
@@ -910,7 +909,7 @@ void UnpackController::AddMessage(Message::EKind kind, const char* text)
 	}
 
 	if (m_unpacker == upSevenZip &&
-		(len > 18 && !strncmp(text + len - 45, "Data Error in encrypted file. Wrong password?", 45)))
+		(len > 45 && !strncmp(text + len - 45, "Data Error in encrypted file. Wrong password?", 45)))
 	{
 		m_unpackDecryptError = true;
 	}

diff --git a/daemon/queue/Deobfuscation.cpp b/daemon/queue/Deobfuscation.cpp
@@ -119,13 +119,13 @@ namespace Deobfuscation
 		if (str.empty())
 			return false;
 
-		for (auto& regex : EXCLUDED_HASHED_RELEASES_REGEXES)
+		for (const auto& regex : EXCLUDED_HASHED_RELEASES_REGEXES)
 		{
 			if (std::regex_search(str, regex))
 				return false;
 		}
 
-		for (auto& regex : HASHED_RELEASES_REGEXES)
+		for (const auto& regex : HASHED_RELEASES_REGEXES)
 		{
 			if (std::regex_search(str, regex))
 				return true;

diff --git a/daemon/queue/Deobfuscation.h b/daemon/queue/Deobfuscation.h
@@ -27,18 +27,18 @@
 
 namespace Deobfuscation
 {
-	inline const std::array<std::regex, 1> EXCLUDED_HASHED_RELEASES_REGEXES{
-		std::regex{ "[0-9a-zA-Z]{24}.(7z(\\.\\d{2,3})?|rar|r\\d{2,3}|zip|par2)$" }
+	inline static const std::array<std::regex, 1> EXCLUDED_HASHED_RELEASES_REGEXES{
+		std::regex{ R"([0-9a-zA-Z]{16,256}.(7z(\.\d{2,3})?|rar|r\d{2,3}|zip|par2)$)" }
 	};
 
-	inline const std::array<std::regex, 11> HASHED_RELEASES_REGEXES{
+	inline static const std::array<std::regex, 11> HASHED_RELEASES_REGEXES{
 		std::regex{ "[0-9a-f.]{16}" },
-		std::regex{ "^[0-9a-zA-Z]{24,}" },
-		std::regex{ "^[a-z0-9]{16,}$" },
+		std::regex{ "^[0-9a-zA-Z]{24,256}" },
+		std::regex{ "^[a-z0-9]{16,256}$" },
 		std::regex{ "^abc$" },
 		std::regex{ "^abc[-_. ]xyz" },
-		std::regex{ "^[A-Z]{11,}[0-9]{3}$" },
-		std::regex{ "^Backup_[0-9]{5,}S[0-9]{2}-[0-9]{2}$" },
+		std::regex{ "^[A-Z]{11,256}[0-9]{3}$" },
+		std::regex{ "^Backup_[0-9]{5,256}S[0-9]{2}-[0-9]{2}$" },
 		std::regex{ "^123$" },
 		std::regex{ "^b00bs$" },
 		std::regex{ "^[0-9]{6}_[0-9]{2}$" },

diff --git a/daemon/system/SystemInfo.cpp b/daemon/system/SystemInfo.cpp
@@ -1,7 +1,7 @@
 /*
  *  This file is part of nzbget. See <https://nzbget.com>.
  *
- *  Copyright (C) 2024 Denis <denis@nzbget.com>
+ *  Copyright (C) 2024-2025 Denis <denis@nzbget.com>
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -309,7 +309,7 @@ namespace System
 	{
 		// e.g. 7-Zip (a) 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21
 		// e.g. UNRAR 5.70 x64 freeware      Copyright (c) 1993-2019 Alexander Roshal
-		std::regex pattern(R"([0-9]*\.[0-9]*)"); // float number
+		static const std::regex pattern(R"([0-9]+\.[0-9]+)"); // float number
 		std::smatch match;
 		if (std::regex_search(line, match, pattern))
 		{