Kelsidavis-WoWee

phaneron/Kelsidavis-WoWee

Fork 0

mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-05-24 23:33:53 +00:00

Commit graph

Author	SHA1	Message	Date
Kelsi	bf75ccd15b	fix(security): close remaining CodeQL critical/high alerts Closes the 5 remaining cpp/command-line-injection alerts plus 3 cpp/integer-multiplication-cast-to-long and 1 cpp/uncontrolled-arithmetic in tools/editor/. (The other open high alerts are all in extern/ third-party headers — imgui, stb_image, miniaudio — and are out of scope for us to patch.) Critical (cmd-injection) → shell-free runChild() helper: - cli_zone_packs.cpp:41,175,182 (+ a 4th site at line 235 that the alert tooling missed). runSilently() refactored to take argv0+args. - cli_audits.cpp:68 — per-zone `--validate-…` self-invocation. - cli_gen_audio.cpp:386 — per-tone `--gen-audio-tone` self-invocation. - editor_ui.cpp:3038 — manifest "open in default app" used a shell concat (open / start / xdg-open). Now uses cli_subprocess::runChild with the platform binary directly. High (int-mul overflow) → widen one operand to size_t: - wowee_terrain.cpp:272 — `resolution * resolution * 3` for the zone map pixel buffer. - terrain_editor.cpp:1848,1859 — `w * h` for stbi_load{,_16} heightmap resize loops; precomputed pixelCount and switched the loop counter to size_t. High (uncontrolled-arithmetic) → bounded increment: - editor_ui.cpp:987 — noise-seed `>>` button incremented `int` without bound. Clamp to INT_MAX.	2026-05-13 19:43:42 -07:00
Kelsi	6c9ab6faed	refactor(editor): extract gen-audio-* handlers into cli_gen_audio.cpp main.cpp had grown past 28k lines, with each new procedural- generation command adding 100-200 lines to the inline if/else dispatch chain. This commit starts breaking that up by moving the four audio-related handlers (--gen-audio-tone, -noise, -sweep, --gen-zone-audio-pack) into their own translation unit. Pattern established here for future family extractions: - Family lives in cli_<family>.{hpp,cpp} - Single dispatch entry point: bool handle<Family>(int& i, int argc, char** argv, int& outRc) — true if matched (writes outRc), false to fall through. - main.cpp's argv loop calls each family's dispatcher first and returns its outRc on match, before the legacy in-line chain. Side-benefit: consolidated the duplicated 25-line WAV header writer + 5ms attack/release envelope into shared helpers (writeWavMono16, applyEdgeEnvelope) at the top of the new file. main.cpp drops from 28,943 → 28,329 lines (-614). Audio family is fully self-contained (~440 lines), behavior unchanged (verified by re-running tone/noise/sweep + zone-audio-pack).	2026-05-08 16:19:30 -07:00

Author

SHA1

Message

Date

Kelsi

bf75ccd15b

fix(security): close remaining CodeQL critical/high alerts

Closes the 5 remaining cpp/command-line-injection alerts plus 3
cpp/integer-multiplication-cast-to-long and 1 cpp/uncontrolled-arithmetic
in tools/editor/. (The other open high alerts are all in extern/
third-party headers — imgui, stb_image, miniaudio — and are out of
scope for us to patch.)

Critical (cmd-injection) → shell-free runChild() helper:
- cli_zone_packs.cpp:41,175,182 (+ a 4th site at line 235 that the
  alert tooling missed). runSilently() refactored to take argv0+args.
- cli_audits.cpp:68 — per-zone `--validate-…` self-invocation.
- cli_gen_audio.cpp:386 — per-tone `--gen-audio-tone` self-invocation.
- editor_ui.cpp:3038 — manifest "open in default app" used a shell
  concat (open / start / xdg-open). Now uses cli_subprocess::runChild
  with the platform binary directly.

High (int-mul overflow) → widen one operand to size_t:
- wowee_terrain.cpp:272 — `resolution * resolution * 3` for the zone
  map pixel buffer.
- terrain_editor.cpp:1848,1859 — `w * h` for stbi_load{,_16} heightmap
  resize loops; precomputed pixelCount and switched the loop counter
  to size_t.

High (uncontrolled-arithmetic) → bounded increment:
- editor_ui.cpp:987 — noise-seed `>>` button incremented `int` without
  bound. Clamp to INT_MAX.

2026-05-13 19:43:42 -07:00

Kelsi

6c9ab6faed

refactor(editor): extract gen-audio-* handlers into cli_gen_audio.cpp

main.cpp had grown past 28k lines, with each new procedural-
generation command adding 100-200 lines to the inline if/else
dispatch chain. This commit starts breaking that up by moving
the four audio-related handlers (--gen-audio-tone, -noise,
-sweep, --gen-zone-audio-pack) into their own translation unit.

Pattern established here for future family extractions:

- Family lives in cli_<family>.{hpp,cpp}
- Single dispatch entry point: bool handle<Family>(int& i, int argc,
  char** argv, int& outRc) — true if matched (writes outRc), false
  to fall through.
- main.cpp's argv loop calls each family's dispatcher first and
  returns its outRc on match, before the legacy in-line chain.

Side-benefit: consolidated the duplicated 25-line WAV header
writer + 5ms attack/release envelope into shared helpers
(writeWavMono16, applyEdgeEnvelope) at the top of the new file.

main.cpp drops from 28,943 → 28,329 lines (-614). Audio family
is fully self-contained (~440 lines), behavior unchanged
(verified by re-running tone/noise/sweep + zone-audio-pack).

2026-05-08 16:19:30 -07:00

2 commits