Fix 35 bugs and bump version to 0.9.111 (#9)

* Fix 35 bugs across CloudSync SQLite/PostgreSQL sync extension

Comprehensive audit identified and fixed 35 bugs (1 CRITICAL, 7 HIGH,
18 MEDIUM, 9 LOW) across the entire codebase. All 84 SQLite tests and
26 PostgreSQL tests pass with 0 failures and 0 memory leaks.

## src/cloudsync.c (13 fixes)

- [HIGH] Guard NULL db_version_stmt in cloudsync_dbversion_rerun —
  set db_version = CLOUDSYNC_MIN_DB_VERSION and return 0 when stmt
  is NULL, preventing NULL dereference after schema rebuild failure
- [MEDIUM] Add early return for NULL stmt in dbvm_execute to prevent
  crash when called with uninitialized statement pointer
- [MEDIUM] Change (bool)dbvm_count() to (dbvm_count() > 0) in
  table_pk_exists — prevents negative return values being cast to
  true, giving false positive "pk exists" results
- [MEDIUM] Add NULL check on database_column_text result in
  cloudsync_refill_metatable before calling strlen — prevents crash
  on corrupted or empty column data
- [MEDIUM] Route early returns in cloudsync_payload_apply through
  goto cleanup so CLEANUP callback and vm finalize always run —
  prevents resource leaks and callback contract violation
- [MEDIUM] Change return false to goto abort_add_table when
  ROWIDONLY rejected — ensures table_free runs on the partially
  allocated table, preventing memory leak
- [MEDIUM] Initialize *persistent = false at top of
  cloudsync_colvalue_stmt — prevents use of uninitialized value
  when table_lookup returns NULL
- [LOW] Add NULL check on database_column_blob in merge_did_cid_win
  — prevents memcmp with NULL pointer on corrupted cloudsync table
- [LOW] Handle partial failure in table_add_to_context_cb — clean
  up col_name, col_merge_stmt, col_value_stmt at index on error
  instead of leaving dangling pointers
- [LOW] Remove unused pragma_checked field from cloudsync_context
- [LOW] Change pointer comparison to strcmp in cloudsync_set_schema
  — pointer equality missed cases where different string pointers
  had identical content
- [LOW] Fix cloudsync_payload_get NULL check: blob == NULL (always
  false for char** arg) changed to *blob == NULL
- [LOW] Pass extra meta_ref args to SQL_CLOUDSYNC_UPSERT_COL_INIT_OR_BUMP_VERSION
  mprintf call to match updated PostgreSQL format string

## src/sqlite/cloudsync_sqlite.c (5 fixes)

- [HIGH] Split DEFAULT_FLAGS into FLAGS_PURE (SQLITE_UTF8 |
  SQLITE_INNOCUOUS | SQLITE_DETERMINISTIC) and FLAGS_VOLATILE
  (SQLITE_UTF8). Pure functions: cloudsync_version, cloudsync_pk_encode,
  cloudsync_pk_decode. All others volatile — fixes cloudsync_uuid()
  returning identical values within the same query when SQLite cached
  deterministic results
- [HIGH] Fix realloc inconsistency in dbsync_update_payload_append:
  on second realloc failure, state was inconsistent (new_values
  resized, old_values not, capacity not updated). Both reallocs now
  checked before updating pointers and capacity
- [MEDIUM] Move payload->count++ after all database_value_dup NULL
  checks in dbsync_update_payload_append — prevents count increment
  when allocation failed, which would cause use-after-free on cleanup
- [MEDIUM] Add dbsync_update_payload_free(payload) before 3 early
  returns in dbsync_update_final — prevents memory leak of entire
  aggregate payload on error paths
- [MEDIUM] Clean up partial database_value_dup allocations on OOM in
  dbsync_update_payload_append — free dup'd values at current index
  when count is not incremented to prevent leak

## src/sqlite/database_sqlite.c (6 fixes)

- [MEDIUM] Replace fixed 4096-byte trigger WHEN clause buffers with
  dynamic cloudsync_memory_mprintf — prevents silent truncation for
  tables with long filter expressions
- [MEDIUM] Check cloudsync_memory_mprintf return for NULL before
  storing in col_names[] in database_build_trigger_when — prevents
  strlen(NULL) crash in filter_is_column under OOM
- [LOW] Use consistent PRId64 format with (int64_t) cast for schema
  hash in database_check_schema_hash and database_update_schema_hash
  — prevents format string mismatch on platforms where uint64_t and
  int64_t have different printf specifiers
- [LOW] Fix DEBUG_DBFUNCTION using undeclared variable 'table'
  instead of 'table_name' in database_create_metatable (line 568)
  and database_create_triggers (line 782) — compile error when
  debug macros enabled
- [LOW] Remove dead else branch in database_pk_rowid — unreachable
  code after sqlite3_prepare_v2 success check

## src/sqlite/sql_sqlite.c (1 fix)

- [MEDIUM] Change %s to %q in SQL_INSERT_SETTINGS_STR_FORMAT —
  prevents SQL injection via malformed setting key/value strings

## src/dbutils.c (1 fix)

- [MEDIUM] Change snprintf to cloudsync_memory_mprintf for settings
  insert using the new %q format — ensures proper SQL escaping

## src/utils.c (1 fix)

- [MEDIUM] Fix integer overflow in cloudsync_blob_compare:
  (int)(size1 - size2) overflows for large size_t values, changed
  to (size1 > size2) ? 1 : -1

## src/network.c (1 fix)

- [MEDIUM] Remove trailing semicolon from savepoint name
  "cloudsync_logout_savepoint;" — semicolon in name caused
  savepoint/release mismatch

## src/postgresql/sql_postgresql.c (1 fix)

- [CRITICAL] Replace EXCLUDED.col_version with %s.col_version
  (table reference) in SQL_CLOUDSYNC_UPSERT_COL_INIT_OR_BUMP_VERSION
  — PostgreSQL EXCLUDED refers to the proposed INSERT row (always
  col_version=1), not the existing row. This caused col_version to
  never increment correctly on conflict, breaking CRDT merge logic

## src/postgresql/cloudsync_postgresql.c (4 fixes)

- [HIGH] Change PG_RETURN_INT32(rc) to PG_RETURN_BOOL(rc == DBRES_OK)
  in pg_cloudsync_terminate — SQL declaration returns BOOLEAN but code
  returned raw integer, causing protocol mismatch
- [HIGH] Copy blob data with palloc+memcpy before databasevm_reset in
  cloudsync_col_value, and fix PG_RETURN_CSTRING to PG_RETURN_BYTEA_P
  — reset invalidates SPI tuple memory, causing use-after-free; wrong
  return type caused type mismatch with SQL declaration
- [MEDIUM] Use palloc0 instead of cloudsync_memory_alloc+memset in
  aggregate context — palloc0 is lifetime-safe in PG aggregate memory
  context; cloudsync_memory_alloc uses wrong allocator
- [MEDIUM] Free SPI_tuptable in all paths of get_column_oid — prevents
  SPI tuple table leak on early return

## src/postgresql/database_postgresql.c (3 fixes)

- [MEDIUM] Use sql_escape_identifier for table_name/schema in CREATE
  INDEX — prevents SQL injection via specially crafted table names
- [MEDIUM] Use sql_escape_literal for table_name in trigger WHEN
  clause — prevents SQL injection in trigger condition
- [LOW] Use SPI_getvalue instead of DatumGetName for type safety in
  database_pk_names — DatumGetName assumes Name type which may not
  match the actual column type from information_schema

## test/unit.c (3 new tests)

- do_test_blob_compare_large_sizes: verifies overflow fix for large
  size_t values in cloudsync_blob_compare
- do_test_deterministic_flags: verifies cloudsync_uuid() returns
  different values in same query (non-deterministic flag working)
- do_test_schema_hash_consistency: verifies int64 hash format
  roundtrip through cloudsync_schema_versions table

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Bump version to 0.9.111

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Update .gitignore

Author: marcobambini

.gitignore

@@ -50,3 +50,4 @@ jniLibs/
 .DS_Store
 Thumbs.db
 CLAUDE.md
+*.o

src/cloudsync.c

@@ -115,7 +115,6 @@ struct cloudsync_context {
     void        *aux_data;
 
     // stmts and context values
-    bool        pragma_checked;             // we need to check PRAGMAs only once per transaction
     dbvm_t      *schema_version_stmt;
     dbvm_t      *data_version_stmt;
     dbvm_t      *db_version_stmt;
@@ -255,13 +254,15 @@ const char *cloudsync_algo_name (table_algo algo) {
 // MARK: - DBVM Utils -
 
 DBVM_VALUE dbvm_execute (dbvm_t *stmt, cloudsync_context *data) {
+    if (!stmt) return DBVM_VALUE_ERROR;
+
     int rc = databasevm_step(stmt);
     if (rc != DBRES_ROW && rc != DBRES_DONE) {
         if (data) DEBUG_DBERROR(rc, "stmt_execute", data);
         databasevm_reset(stmt);
         return DBVM_VALUE_ERROR;
     }
-    
+
     DBVM_VALUE result = DBVM_VALUE_CHANGED;
     if (stmt == data->data_version_stmt) {
         int version = (int)database_column_int(stmt, 0);
@@ -365,12 +366,17 @@ int cloudsync_dbversion_rebuild (cloudsync_context *data) {
 int cloudsync_dbversion_rerun (cloudsync_context *data) {
     DBVM_VALUE schema_changed = dbvm_execute(data->schema_version_stmt, data);
     if (schema_changed == DBVM_VALUE_ERROR) return -1;
-    
+
     if (schema_changed == DBVM_VALUE_CHANGED) {
         int rc = cloudsync_dbversion_rebuild(data);
         if (rc != DBRES_OK) return -1;
     }
-    
+
+    if (!data->db_version_stmt) {
+        data->db_version = CLOUDSYNC_MIN_DB_VERSION;
+        return 0;
+    }
+
     DBVM_VALUE rc = dbvm_execute(data->db_version_stmt, data);
     if (rc == DBVM_VALUE_ERROR) return -1;
     return 0;
@@ -559,7 +565,7 @@ void cloudsync_set_auxdata (cloudsync_context *data, void *xdata) {
 }
 
 void cloudsync_set_schema (cloudsync_context *data, const char *schema) {
-    if (data->current_schema == schema) return;
+    if (data->current_schema && schema && strcmp(data->current_schema, schema) == 0) return;
     if (data->current_schema) cloudsync_memory_free(data->current_schema);
     data->current_schema = NULL;
     if (schema) data->current_schema = cloudsync_string_dup_lowercase(schema);
@@ -748,7 +754,7 @@ int table_add_stmts (cloudsync_table_context *table, int ncols) {
     if (rc != DBRES_OK) goto cleanup;
 
     // precompile the insert local sentinel statement
-    sql = cloudsync_memory_mprintf(SQL_CLOUDSYNC_UPSERT_COL_INIT_OR_BUMP_VERSION, table->meta_ref, CLOUDSYNC_TOMBSTONE_VALUE);
+    sql = cloudsync_memory_mprintf(SQL_CLOUDSYNC_UPSERT_COL_INIT_OR_BUMP_VERSION, table->meta_ref, CLOUDSYNC_TOMBSTONE_VALUE, table->meta_ref, table->meta_ref, table->meta_ref);
     if (!sql) {rc = DBRES_NOMEM; goto cleanup;}
     DEBUG_SQL("meta_sentinel_insert_stmt: %s", sql);
 
@@ -920,37 +926,44 @@ int table_remove (cloudsync_context *data, cloudsync_table_context *table) {
 int table_add_to_context_cb (void *xdata, int ncols, char **values, char **names) {
     cloudsync_table_context *table = (cloudsync_table_context *)xdata;
     cloudsync_context *data = table->context;
-    
+
     int index = table->ncols;
     for (int i=0; i<ncols; i+=2) {
         const char *name = values[i];
         int cid = (int)strtol(values[i+1], NULL, 0);
-        
+
         table->col_id[index] = cid;
         table->col_name[index] = cloudsync_string_dup_lowercase(name);
-        if (!table->col_name[index]) return 1;
-        
+        if (!table->col_name[index]) goto error;
+
         char *sql = table_build_mergeinsert_sql(table, name);
-        if (!sql) return DBRES_NOMEM;
+        if (!sql) goto error;
         DEBUG_SQL("col_merge_stmt[%d]: %s", index, sql);
-        
+
         int rc = databasevm_prepare(data, sql, (void **)&table->col_merge_stmt[index], DBFLAG_PERSISTENT);
         cloudsync_memory_free(sql);
-        if (rc != DBRES_OK) return rc;
-        if (!table->col_merge_stmt[index]) return DBRES_MISUSE;
-        
+        if (rc != DBRES_OK) goto error;
+        if (!table->col_merge_stmt[index]) goto error;
+
         sql = table_build_value_sql(table, name);
-        if (!sql) return DBRES_NOMEM;
+        if (!sql) goto error;
         DEBUG_SQL("col_value_stmt[%d]: %s", index, sql);
-        
+
         rc = databasevm_prepare(data, sql, (void **)&table->col_value_stmt[index], DBFLAG_PERSISTENT);
         cloudsync_memory_free(sql);
-        if (rc != DBRES_OK) return rc;
-        if (!table->col_value_stmt[index]) return DBRES_MISUSE;
+        if (rc != DBRES_OK) goto error;
+        if (!table->col_value_stmt[index]) goto error;
     }
     table->ncols += 1;
-    
+
     return 0;
+
+error:
+    // clean up partially-initialized entry at index
+    if (table->col_name[index]) {cloudsync_memory_free(table->col_name[index]); table->col_name[index] = NULL;}
+    if (table->col_merge_stmt[index]) {databasevm_finalize(table->col_merge_stmt[index]); table->col_merge_stmt[index] = NULL;}
+    if (table->col_value_stmt[index]) {databasevm_finalize(table->col_value_stmt[index]); table->col_value_stmt[index] = NULL;}
+    return 1;
 }
 
 bool table_ensure_capacity (cloudsync_context *data) {
@@ -992,7 +1005,7 @@ bool table_add_to_context (cloudsync_context *data, table_algo algo, const char
     table->npks = count;
     if (table->npks == 0) {
         #if CLOUDSYNC_DISABLE_ROWIDONLY_TABLES
-        return false;
+        goto abort_add_table;
         #else
         table->rowid_only = true;
         table->npks = 1; // rowid
@@ -1039,7 +1052,8 @@ bool table_add_to_context (cloudsync_context *data, table_algo algo, const char
 
 dbvm_t *cloudsync_colvalue_stmt (cloudsync_context *data, const char *tbl_name, bool *persistent) {
     dbvm_t *vm = NULL;
-    
+    *persistent = false;
+
     cloudsync_table_context *table = table_lookup(data, tbl_name);
     if (table) {
         char *col_name = NULL;
@@ -1082,7 +1096,7 @@ const char *table_colname (cloudsync_table_context *table, int index) {
 bool table_pk_exists (cloudsync_table_context *table, const char *value, size_t len) {
     // check if a row with the same primary key already exists
     // if so, this means the row might have been previously deleted (sentinel)
-    return (bool)dbvm_count(table->meta_pkexists_stmt, value, len, DBTYPE_BLOB);
+    return (dbvm_count(table->meta_pkexists_stmt, value, len, DBTYPE_BLOB) > 0);
 }
 
 char **table_pknames (cloudsync_table_context *table) {
@@ -1373,6 +1387,10 @@ int merge_did_cid_win (cloudsync_context *data, cloudsync_table_context *table,
     rc = databasevm_step(vm);
     if (rc == DBRES_ROW) {
         const void *local_site_id = database_column_blob(vm, 0);
+        if (!local_site_id) {
+            dbvm_reset(vm);
+            return cloudsync_set_error(data, "NULL site_id in cloudsync table, table is probably corrupted", DBRES_ERROR);
+        }
         ret = memcmp(site_id, local_site_id, site_len);
         *didwin_flag = (ret > 0);
         dbvm_reset(vm);
@@ -1929,6 +1947,7 @@ int cloudsync_refill_metatable (cloudsync_context *data, const char *table_name)
             rc = databasevm_step(vm);
             if (rc == DBRES_ROW) {
                 const char *pk = (const char *)database_column_text(vm, 0);
+                if (!pk) { rc = DBRES_ERROR; break; }
                 size_t pklen = strlen(pk);
                 rc = local_mark_insert_or_update_meta(table, pk, pklen, col_name, db_version, cloudsync_bumpseq(data));
             } else if (rc == DBRES_DONE) {
@@ -2448,8 +2467,8 @@ int cloudsync_payload_apply (cloudsync_context *data, const char *payload, int b
         if (in_savepoint && db_version_changed) {
             rc = database_commit_savepoint(data, "cloudsync_payload_apply");
             if (rc != DBRES_OK) {
-                if (clone) cloudsync_memory_free(clone);
-                return cloudsync_set_error(data, "Error on cloudsync_payload_apply: unable to release a savepoint", rc);
+                cloudsync_set_error(data, "Error on cloudsync_payload_apply: unable to release a savepoint", rc);
+                goto cleanup;
             }
             in_savepoint = false;
         }
@@ -2459,8 +2478,8 @@ int cloudsync_payload_apply (cloudsync_context *data, const char *payload, int b
         if (!in_transaction && db_version_changed) {
             rc = database_begin_savepoint(data, "cloudsync_payload_apply");
             if (rc != DBRES_OK) {
-                if (clone) cloudsync_memory_free(clone);
-                return cloudsync_set_error(data, "Error on cloudsync_payload_apply: unable to start a transaction", rc);
+                cloudsync_set_error(data, "Error on cloudsync_payload_apply: unable to start a transaction", rc);
+                goto cleanup;
             }
             last_payload_db_version = decoded_context.db_version;
             in_savepoint = true;
@@ -2548,7 +2567,7 @@ int cloudsync_payload_get (cloudsync_context *data, char **blob, int *blob_size,
     if (rc != DBRES_OK) return rc;
 
     // exit if there is no data to send
-    if (blob == NULL || *blob_size == 0) return DBRES_OK;
+    if (*blob == NULL || *blob_size == 0) return DBRES_OK;
     return rc;
 }
 

src/cloudsync.h

@@ -17,7 +17,7 @@
 extern "C" {
 #endif
 
-#define CLOUDSYNC_VERSION                       "0.9.110"
+#define CLOUDSYNC_VERSION                       "0.9.111"
 #define CLOUDSYNC_MAX_TABLENAME_LEN             512
 
 #define CLOUDSYNC_VALUE_NOTSET                  -1

src/dbutils.c

@@ -411,14 +411,16 @@ int dbutils_settings_init (cloudsync_context *data) {
         if (rc != DBRES_OK) return rc;
 
         // library version
-        char sql[1024];
-        snprintf(sql, sizeof(sql), SQL_INSERT_SETTINGS_STR_FORMAT, CLOUDSYNC_KEY_LIBVERSION, CLOUDSYNC_VERSION);
+        char *sql = cloudsync_memory_mprintf(SQL_INSERT_SETTINGS_STR_FORMAT, CLOUDSYNC_KEY_LIBVERSION, CLOUDSYNC_VERSION);
+        if (!sql) return DBRES_NOMEM;
         rc = database_exec(data, sql);
+        cloudsync_memory_free(sql);
         if (rc != DBRES_OK) return rc;
-        
+
         // schema version
-        snprintf(sql, sizeof(sql), SQL_INSERT_SETTINGS_INT_FORMAT, CLOUDSYNC_KEY_SCHEMAVERSION, (long long)database_schema_version(data));
-        rc = database_exec(data, sql);
+        char sql_int[1024];
+        snprintf(sql_int, sizeof(sql_int), SQL_INSERT_SETTINGS_INT_FORMAT, CLOUDSYNC_KEY_SCHEMAVERSION, (long long)database_schema_version(data));
+        rc = database_exec(data, sql_int);
         if (rc != DBRES_OK) return rc;
     }
 

src/network.c

@@ -942,7 +942,7 @@ void cloudsync_network_logout (sqlite3_context *context, int argc, sqlite3_value
     }
 
     // run everything in a savepoint
-    rc = database_begin_savepoint(data, "cloudsync_logout_savepoint;");
+    rc = database_begin_savepoint(data, "cloudsync_logout_savepoint");
     if (rc != SQLITE_OK) {
         errmsg = cloudsync_memory_mprintf("Unable to create cloudsync_logout savepoint %s", cloudsync_errmsg(data));
         goto finalize;

src/postgresql/cloudsync_postgresql.c

@@ -473,7 +473,7 @@ Datum pg_cloudsync_terminate (PG_FUNCTION_ARGS) {
     PG_END_TRY();
 
     if (spi_connected) SPI_finish();
-    PG_RETURN_INT32(rc);
+    PG_RETURN_BOOL(rc == DBRES_OK);
 }
 
 // MARK: - Settings Functions -
@@ -820,8 +820,7 @@ Datum cloudsync_payload_encode_transfn (PG_FUNCTION_ARGS) {
     // Get or allocate aggregate state
     if (PG_ARGISNULL(0)) {
         MemoryContext oldContext = MemoryContextSwitchTo(aggContext);
-        payload = (cloudsync_payload_context *)cloudsync_memory_alloc(cloudsync_payload_context_size(NULL));
-        memset(payload, 0, cloudsync_payload_context_size(NULL));
+        payload = (cloudsync_payload_context *)palloc0(cloudsync_payload_context_size(NULL));
         MemoryContextSwitchTo(oldContext);
     } else {
         payload = (cloudsync_payload_context *)PG_GETARG_POINTER(0);
@@ -1819,13 +1818,16 @@ static Oid get_column_oid(const char *schema, const char *table_name, const char
     pfree(DatumGetPointer(values[1]));
     if (schema) pfree(DatumGetPointer(values[2]));
 
-    if (ret != SPI_OK_SELECT || SPI_processed == 0) return InvalidOid;
+    if (ret != SPI_OK_SELECT || SPI_processed == 0) {
+        if (SPI_tuptable) SPI_freetuptable(SPI_tuptable);
+        return InvalidOid;
+    }
 
     bool isnull;
     Datum col_oid = SPI_getbinval(SPI_tuptable->vals[0], SPI_tuptable->tupdesc, 1, &isnull);
-    if (isnull) return InvalidOid;
-
-    return DatumGetObjectId(col_oid);
+    Oid result = isnull ? InvalidOid : DatumGetObjectId(col_oid);
+    SPI_freetuptable(SPI_tuptable);
+    return result;
 }
 
 // Decode encoded bytea into a pgvalue_t with the decoded base type.
@@ -1958,23 +1960,34 @@ Datum cloudsync_col_value(PG_FUNCTION_ARGS) {
     }
 
     // execute vm
-    Datum d = (Datum)0;
     int rc = databasevm_step(vm);
     if (rc == DBRES_DONE) {
-        rc = DBRES_OK;
-        PG_RETURN_CSTRING(CLOUDSYNC_RLS_RESTRICTED_VALUE);
+        databasevm_reset(vm);
+        // row not found (RLS or genuinely missing) — return the RLS sentinel as bytea
+        const char *rls = CLOUDSYNC_RLS_RESTRICTED_VALUE;
+        size_t rls_len = strlen(rls);
+        bytea *result = (bytea *)palloc(VARHDRSZ + rls_len);
+        SET_VARSIZE(result, VARHDRSZ + rls_len);
+        memcpy(VARDATA(result), rls, rls_len);
+        PG_RETURN_BYTEA_P(result);
     } else if (rc == DBRES_ROW) {
-        // store value result
-        rc = DBRES_OK;
-        d = database_column_datum(vm, 0);
-    }
-    
-    if (rc != DBRES_OK) {
+        // copy value before reset invalidates SPI tuple memory
+        const void *blob = database_column_blob(vm, 0);
+        int blob_len = database_column_bytes(vm, 0);
+        bytea *result = NULL;
+        if (blob && blob_len > 0) {
+            result = (bytea *)palloc(VARHDRSZ + blob_len);
+            SET_VARSIZE(result, VARHDRSZ + blob_len);
+            memcpy(VARDATA(result), blob, blob_len);
+        }
         databasevm_reset(vm);
-        ereport(ERROR, (errmsg("cloudsync_col_value error: %s", cloudsync_errmsg(data))));
+        if (result) PG_RETURN_BYTEA_P(result);
+        PG_RETURN_NULL();
     }
+
     databasevm_reset(vm);
-    PG_RETURN_DATUM(d);
+    ereport(ERROR, (errmsg("cloudsync_col_value error: %s", cloudsync_errmsg(data))));
+    PG_RETURN_NULL(); // unreachable, silences compiler
 }
 
 // Track SRF execution state across calls