Allocate exactly one extra byte for cache-buffer NUL terminators

These fread buffers were over-allocated as size+4, a superstitious margin
that never bought anything: every site writes a single trailing NUL at
[size], so size+1 is exactly right. Trim them all to size+1.

The proxytrack disk-fallback read in PT_ReadCache__New_u never wrote that
NUL at all, unlike its sibling read paths in the same file; add the missing
r->adr[r->size] = '\0' so the spare byte is actually used and the buffer is
a valid C string.

Signed-off-by: Xavier Roche <roche@httrack.com>

.github/workflows/ci.yml

@@ -31,7 +31,7 @@ jobs:
     env:
       CC: ${{ matrix.cc }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
 
@@ -61,6 +61,169 @@ jobs:
         if: failure()
         run: cat tests/test-suite.log 2>/dev/null || true
 
+  # Portability: build and test on macOS (Darwin/clang) on a native runner --
+  # no VM. The tree has no __APPLE__ branches, so Darwin exercises the
+  # generic-Unix path on a second libc and kernel. brew's openssl@3 is keg-only,
+  # so point configure at it; everything else is in the SDK or default paths.
+  macos:
+    name: build (macOS arm64, clang)
+    runs-on: macos-14
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Install build dependencies
+        run: |
+          set -euo pipefail
+          brew install autoconf automake libtool autoconf-archive
+
+      - name: Configure
+        run: |
+          set -euo pipefail
+          ssl="$(brew --prefix openssl@3)"
+          autoreconf -fi
+          ./configure CPPFLAGS="-I${ssl}/include" LDFLAGS="-L${ssl}/lib"
+
+      - name: Build
+        run: make -j"$(sysctl -n hw.ncpu)"
+
+      - name: Test
+        run: make check
+
+      - name: Print the test log on failure
+        if: failure()
+        run: cat tests/test-suite.log 2>/dev/null || true
+
+  # Portability/hardening: 32-bit (i386) build on the x86-64 runner via multilib
+  # -- no extra hardware. Exercises the 32-bit size_t/pointer ABI, where size
+  # and bounds math can truncate or wrap in ways 64-bit never reveals (the axis
+  # the overflow-safe bounds work targets). --build (not --host) keeps configure
+  # out of cross mode, so the i386 binary still runs the test suite here.
+  linux-i386:
+    name: build (linux i386, gcc -m32)
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Install build dependencies (multilib + 32-bit libs)
+        run: |
+          set -euo pipefail
+          sudo dpkg --add-architecture i386
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            build-essential gcc-multilib autoconf automake libtool \
+            autoconf-archive zlib1g-dev:i386 libssl-dev:i386
+
+      - name: Configure
+        run: |
+          set -euo pipefail
+          autoreconf -fi
+          ./configure --build=i686-pc-linux-gnu CC="gcc -m32"
+
+      - name: Build
+        run: make -j"$(nproc)"
+
+      - name: Test
+        run: make check
+
+      - name: Print the test log on failure
+        if: failure()
+        run: cat tests/test-suite.log 2>/dev/null || true
+
+  # Memory safety: build and run the suite under AddressSanitizer +
+  # UndefinedBehaviorSanitizer. The offline engine self-tests drive the parsers
+  # that chew on untrusted crawled input (charset, mime, HTML, entities, IDNA,
+  # filters, cache) straight through the sanitizers, so a buffer overrun,
+  # use-after-free, or signed overflow there fails the build instead of slipping
+  # past a plain -O2 build. gcc's runtimes; one job is enough (the bug class is
+  # arch-independent and the matrix already covers compile portability).
+  sanitize:
+    name: sanitize (ASan+UBSan, gcc)
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Install build dependencies
+        run: |
+          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            build-essential autoconf automake libtool autoconf-archive \
+            zlib1g-dev libssl-dev
+
+      - name: Configure (sanitized)
+        run: |
+          set -euo pipefail
+          autoreconf -fi
+          ./configure CC=gcc \
+            CFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -g -O1 -fno-omit-frame-pointer" \
+            LDFLAGS="-fsanitize=address,undefined"
+
+      - name: Build
+        run: make -j"$(nproc)"
+
+      - name: Test (sanitized)
+        # Leaks at exit are out of scope (the CLI frees little on the way out);
+        # we want memory-safety errors, so turn leak detection off and make every
+        # other finding abort the run.
+        #
+        # Poison fresh allocations with 0xCA and freed blocks with 0xCB (decimal
+        # 202/203) so memory never reads back as accidental zeros: a missing-NUL
+        # fread buffer then runs strlen off into the redzone instead of stopping
+        # at a lucky zero. Distinct bytes tell the two apart in a dump (0xCA =
+        # uninitialized, 0xCB = use-after-free). ASan caps its malloc fill at 4096
+        # bytes by default, so max_malloc_fill_size lifts it to cover large cache
+        # buffers; free_fill flags use-after-free reads.
+        env:
+          ASAN_OPTIONS: detect_leaks=0:abort_on_error=1:halt_on_error=1:strict_string_checks=1:malloc_fill_byte=202:max_malloc_fill_size=2147483647:free_fill_byte=203:max_free_fill_size=2147483647
+          UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
+        run: make check
+
+      - name: Print the test log on failure
+        if: failure()
+        run: cat tests/test-suite.log 2>/dev/null || true
+
+  # Optional-dependency build: compile and test with HTTPS/OpenSSL disabled --
+  # the configuration users on minimal systems build, and one libssl is not even
+  # installed here so configure cannot silently re-enable it. The matrix above
+  # always has libssl, so the #if HTS_USEOPENSSL branches would otherwise never
+  # be compiled and could rot unnoticed.
+  no-ssl:
+    name: build (no openssl, --disable-https)
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Install build dependencies (no libssl)
+        run: |
+          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            build-essential autoconf automake libtool autoconf-archive zlib1g-dev
+
+      - name: Configure (https disabled)
+        run: |
+          set -euo pipefail
+          autoreconf -fi
+          ./configure --disable-https
+
+      - name: Build
+        run: make -j"$(nproc)"
+
+      - name: Test
+        run: make check
+
+      - name: Print the test log on failure
+        if: failure()
+        run: cat tests/test-suite.log 2>/dev/null || true
+
   # Validate the Debian packaging via the same script maintainers release with.
   # One amd64/gcc run is enough: packaging (control/rules/manifest/lintian/quilt
   # source build) is arch- and compiler-independent, and the build matrix above
@@ -69,7 +232,7 @@ jobs:
     name: deb package (lintian)
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
 
@@ -84,8 +247,44 @@ jobs:
 
       # --unsigned: CI has no GPG key (also skips the release sig/checksums).
       # debuild builds every package, then lintian gates on errors.
+      #
+      # DEB_BUILD_OPTIONS trims work CI does not need (release builds via
+      # mkdeb.sh are untouched): noautodbgsym drops the -dbgsym packages whose
+      # LTO payloads are slow to compress and that CI never ships; parallel uses
+      # every core. We let debuild run its test pass -- the only one now that
+      # mkdeb no longer runs its own -- so CI exercises the packaged tests.
       - name: Build Debian packages
-        run: bash tools/mkdeb.sh --unsigned --no-release-artifacts
+        run: |
+          export DEB_BUILD_OPTIONS="noautodbgsym parallel=$(nproc)"
+          bash tools/mkdeb.sh --unsigned --no-release-artifacts
+
+  # Release-tarball integrity: `make distcheck` rolls the dist tarball, then
+  # configures, builds and tests it out-of-tree from a read-only source tree and
+  # checks nothing is left behind. Catches a file referenced in *_SOURCES or
+  # EXTRA_DIST but missing from the tarball -- the same "ships broken to users"
+  # class as a stale committed Makefile.in.
+  distcheck:
+    name: distcheck (release tarball)
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Install build dependencies
+        run: |
+          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            build-essential autoconf automake libtool autoconf-archive \
+            zlib1g-dev libssl-dev
+
+      - name: distcheck
+        run: |
+          set -euo pipefail
+          autoreconf -fi
+          ./configure
+          make -j"$(nproc)" distcheck
 
   dco:
     name: DCO sign-off
@@ -93,7 +292,7 @@ jobs:
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -122,7 +321,7 @@ jobs:
     name: lint (shellcheck, shfmt)
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Install linters
         env:
@@ -151,7 +350,7 @@ jobs:
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

Makefile.in

@@ -257,6 +257,7 @@ LD = @LD@
 LDFLAGS = @LDFLAGS@
 LDFLAGS_PIE = @LDFLAGS_PIE@
 LFS_FLAG = @LFS_FLAG@
+LIBC_FORCE_LINK = @LIBC_FORCE_LINK@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@

configure

@@ -695,6 +695,7 @@ HAVE_VISIBILITY
 CFLAG_VISIBILITY
 LDFLAGS_PIE
 CFLAGS_PIE
+LIBC_FORCE_LINK
 DEFAULT_LDFLAGS
 DEFAULT_CFLAGS
 VERSION_INFO
@@ -15871,6 +15872,53 @@ esac
 fi
 
 
+# Force libc back into DT_NEEDED for libraries that reach it only through
+# libhttrack (libhtsjava, the libtest callbacks), but only with a GNU-style
+# linker; Apple ld rejects these flags and links libSystem unconditionally.
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--push-state,--no-as-needed,-lc,--pop-state" >&5
+printf %s "checking whether the linker accepts -Wl,--push-state,--no-as-needed,-lc,--pop-state... " >&6; }
+if test ${ax_cv_check_ldflags___Wl___push_state___no_as_needed__lc___pop_state+y}
+then :
+  printf %s "(cached) " >&6
+else case e in #(
+  e)
+  ax_check_save_flags=$LDFLAGS
+  LDFLAGS="$LDFLAGS  -Wl,--push-state,--no-as-needed,-lc,--pop-state"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main (void)
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+  ax_cv_check_ldflags___Wl___push_state___no_as_needed__lc___pop_state=yes
+else case e in #(
+  e) ax_cv_check_ldflags___Wl___push_state___no_as_needed__lc___pop_state=no ;;
+esac
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+    conftest$ac_exeext conftest.$ac_ext
+  LDFLAGS=$ax_check_save_flags ;;
+esac
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl___push_state___no_as_needed__lc___pop_state" >&5
+printf "%s\n" "$ax_cv_check_ldflags___Wl___push_state___no_as_needed__lc___pop_state" >&6; }
+if test "x$ax_cv_check_ldflags___Wl___push_state___no_as_needed__lc___pop_state" = xyes
+then :
+  LIBC_FORCE_LINK="-Wl,--push-state,--no-as-needed,-lc,--pop-state"
+else case e in #(
+  e) : ;;
+esac
+fi
+
+
+
 ### PIE
 CFLAGS_PIE=""
 LDFLAGS_PIE=""

configure.ac

@@ -91,6 +91,13 @@ AX_CHECK_LINK_FLAG([-Wl,--no-undefined], [DEFAULT_LDFLAGS="$DEFAULT_LDFLAGS -Wl,
 AX_CHECK_LINK_FLAG([-Wl,-z,relro,-z,now], [DEFAULT_LDFLAGS="$DEFAULT_LDFLAGS -Wl,-z,relro,-z,now"])
 AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack], [DEFAULT_LDFLAGS="$DEFAULT_LDFLAGS -Wl,-z,noexecstack"])
 
+# Force libc back into DT_NEEDED for libraries that reach it only through
+# libhttrack (libhtsjava, the libtest callbacks), but only with a GNU-style
+# linker; Apple ld rejects these flags and links libSystem unconditionally.
+AX_CHECK_LINK_FLAG([-Wl,--push-state,--no-as-needed,-lc,--pop-state],
+	[LIBC_FORCE_LINK="-Wl,--push-state,--no-as-needed,-lc,--pop-state"])
+AC_SUBST([LIBC_FORCE_LINK])
+
 ### PIE
 CFLAGS_PIE=""
 LDFLAGS_PIE=""

debian/webhttrack.files

@@ -4,3 +4,4 @@ usr/share/man/man1/webhttrack.1
 usr/share/man/man1/htsserver.1
 usr/share/applications/WebHTTrack-Websites.desktop
 usr/share/applications/WebHTTrack.desktop
+usr/share/metainfo/com.httrack.WebHTTrack.metainfo.xml

html/Makefile.am

@@ -12,6 +12,7 @@ WebIcon16x16dir = $(datadir)/icons/hicolor/16x16/apps
 WebIcon32x32dir = $(datadir)/icons/hicolor/32x32/apps
 WebIcon48x48dir = $(datadir)/icons/hicolor/48x48/apps
 VFolderEntrydir = $(prefix)/share/applications
+MetaInfodir = $(datadir)/metainfo
 
 # Wildcards are globbed against $(srcdir): a bare "*.html" is resolved against
 # the build dir and stays unexpanded (breaking "make") in an out-of-tree build.
@@ -33,11 +34,12 @@ WebIcon16x16_DATA = $(srcdir)/server/div/16x16/*.png
 WebIcon32x32_DATA = $(srcdir)/server/div/32x32/*.png
 WebIcon48x48_DATA = $(srcdir)/server/div/48x48/*.png
 VFolderEntry_DATA = $(srcdir)/server/div/*.desktop
+MetaInfo_DATA = $(srcdir)/server/div/*.metainfo.xml
 
 EXTRA_DIST = $(HelpHtml_DATA) $(HelpHtmlimg_DATA) $(HelpHtmlimages_DATA) \
 	$(HelpHtmldiv_DATA) $(WebHtml_DATA) $(WebHtmlimages_DATA) \
 	$(WebPixmap_DATA) $(WebIcon16x16_DATA) $(WebIcon32x32_DATA) $(WebIcon48x48_DATA) \
-	$(VFolderEntry_DATA) \
+	$(VFolderEntry_DATA) $(MetaInfo_DATA) \
 	httrack.css
 
 install-data-hook:

html/Makefile.in

@@ -152,14 +152,15 @@ am__uninstall_files_from_dir = { \
 am__installdirs = "$(DESTDIR)$(HelpHtmldir)" \
 	"$(DESTDIR)$(HelpHtmlTxtdir)" "$(DESTDIR)$(HelpHtmldivdir)" \
 	"$(DESTDIR)$(HelpHtmlimagesdir)" "$(DESTDIR)$(HelpHtmlimgdir)" \
-	"$(DESTDIR)$(HelpHtmlrootdir)" "$(DESTDIR)$(VFolderEntrydir)" \
-	"$(DESTDIR)$(WebHtmldir)" "$(DESTDIR)$(WebHtmlimagesdir)" \
-	"$(DESTDIR)$(WebIcon16x16dir)" "$(DESTDIR)$(WebIcon32x32dir)" \
-	"$(DESTDIR)$(WebIcon48x48dir)" "$(DESTDIR)$(WebPixmapdir)"
+	"$(DESTDIR)$(HelpHtmlrootdir)" "$(DESTDIR)$(MetaInfodir)" \
+	"$(DESTDIR)$(VFolderEntrydir)" "$(DESTDIR)$(WebHtmldir)" \
+	"$(DESTDIR)$(WebHtmlimagesdir)" "$(DESTDIR)$(WebIcon16x16dir)" \
+	"$(DESTDIR)$(WebIcon32x32dir)" "$(DESTDIR)$(WebIcon48x48dir)" \
+	"$(DESTDIR)$(WebPixmapdir)"
 DATA = $(HelpHtml_DATA) $(HelpHtmlTxt_DATA) $(HelpHtmldiv_DATA) \
 	$(HelpHtmlimages_DATA) $(HelpHtmlimg_DATA) \
-	$(HelpHtmlroot_DATA) $(VFolderEntry_DATA) $(WebHtml_DATA) \
-	$(WebHtmlimages_DATA) $(WebIcon16x16_DATA) \
+	$(HelpHtmlroot_DATA) $(MetaInfo_DATA) $(VFolderEntry_DATA) \
+	$(WebHtml_DATA) $(WebHtmlimages_DATA) $(WebIcon16x16_DATA) \
 	$(WebIcon32x32_DATA) $(WebIcon48x48_DATA) $(WebPixmap_DATA)
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
 am__DIST_COMMON = $(srcdir)/Makefile.in
@@ -212,6 +213,7 @@ LD = @LD@
 LDFLAGS = @LDFLAGS@
 LDFLAGS_PIE = @LDFLAGS_PIE@
 LFS_FLAG = @LFS_FLAG@
+LIBC_FORCE_LINK = @LIBC_FORCE_LINK@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -320,6 +322,7 @@ WebIcon16x16dir = $(datadir)/icons/hicolor/16x16/apps
 WebIcon32x32dir = $(datadir)/icons/hicolor/32x32/apps
 WebIcon48x48dir = $(datadir)/icons/hicolor/48x48/apps
 VFolderEntrydir = $(prefix)/share/applications
+MetaInfodir = $(datadir)/metainfo
 
 # Wildcards are globbed against $(srcdir): a bare "*.html" is resolved against
 # the build dir and stays unexpanded (breaking "make") in an out-of-tree build.
@@ -341,10 +344,11 @@ WebIcon16x16_DATA = $(srcdir)/server/div/16x16/*.png
 WebIcon32x32_DATA = $(srcdir)/server/div/32x32/*.png
 WebIcon48x48_DATA = $(srcdir)/server/div/48x48/*.png
 VFolderEntry_DATA = $(srcdir)/server/div/*.desktop
+MetaInfo_DATA = $(srcdir)/server/div/*.metainfo.xml
 EXTRA_DIST = $(HelpHtml_DATA) $(HelpHtmlimg_DATA) $(HelpHtmlimages_DATA) \
 	$(HelpHtmldiv_DATA) $(WebHtml_DATA) $(WebHtmlimages_DATA) \
 	$(WebPixmap_DATA) $(WebIcon16x16_DATA) $(WebIcon32x32_DATA) $(WebIcon48x48_DATA) \
-	$(VFolderEntry_DATA) \
+	$(VFolderEntry_DATA) $(MetaInfo_DATA) \
 	httrack.css
 
 all: all-am
@@ -511,6 +515,27 @@ uninstall-HelpHtmlrootDATA:
 	@list='$(HelpHtmlroot_DATA)'; test -n "$(HelpHtmlrootdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
 	dir='$(DESTDIR)$(HelpHtmlrootdir)'; $(am__uninstall_files_from_dir)
+install-MetaInfoDATA: $(MetaInfo_DATA)
+	@$(NORMAL_INSTALL)
+	@list='$(MetaInfo_DATA)'; test -n "$(MetaInfodir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(MetaInfodir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(MetaInfodir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(MetaInfodir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(MetaInfodir)" || exit $$?; \
+	done
+
+uninstall-MetaInfoDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(MetaInfo_DATA)'; test -n "$(MetaInfodir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(MetaInfodir)'; $(am__uninstall_files_from_dir)
 install-VFolderEntryDATA: $(VFolderEntry_DATA)
 	@$(NORMAL_INSTALL)
 	@list='$(VFolderEntry_DATA)'; test -n "$(VFolderEntrydir)" || list=; \
@@ -701,7 +726,7 @@ check-am: all-am
 check: check-am
 all-am: Makefile $(DATA)
 installdirs:
-	for dir in "$(DESTDIR)$(HelpHtmldir)" "$(DESTDIR)$(HelpHtmlTxtdir)" "$(DESTDIR)$(HelpHtmldivdir)" "$(DESTDIR)$(HelpHtmlimagesdir)" "$(DESTDIR)$(HelpHtmlimgdir)" "$(DESTDIR)$(HelpHtmlrootdir)" "$(DESTDIR)$(VFolderEntrydir)" "$(DESTDIR)$(WebHtmldir)" "$(DESTDIR)$(WebHtmlimagesdir)" "$(DESTDIR)$(WebIcon16x16dir)" "$(DESTDIR)$(WebIcon32x32dir)" "$(DESTDIR)$(WebIcon48x48dir)" "$(DESTDIR)$(WebPixmapdir)"; do \
+	for dir in "$(DESTDIR)$(HelpHtmldir)" "$(DESTDIR)$(HelpHtmlTxtdir)" "$(DESTDIR)$(HelpHtmldivdir)" "$(DESTDIR)$(HelpHtmlimagesdir)" "$(DESTDIR)$(HelpHtmlimgdir)" "$(DESTDIR)$(HelpHtmlrootdir)" "$(DESTDIR)$(MetaInfodir)" "$(DESTDIR)$(VFolderEntrydir)" "$(DESTDIR)$(WebHtmldir)" "$(DESTDIR)$(WebHtmlimagesdir)" "$(DESTDIR)$(WebIcon16x16dir)" "$(DESTDIR)$(WebIcon32x32dir)" "$(DESTDIR)$(WebIcon48x48dir)" "$(DESTDIR)$(WebPixmapdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -757,10 +782,10 @@ info-am:
 install-data-am: install-HelpHtmlDATA install-HelpHtmlTxtDATA \
 	install-HelpHtmldivDATA install-HelpHtmlimagesDATA \
 	install-HelpHtmlimgDATA install-HelpHtmlrootDATA \
-	install-VFolderEntryDATA install-WebHtmlDATA \
-	install-WebHtmlimagesDATA install-WebIcon16x16DATA \
-	install-WebIcon32x32DATA install-WebIcon48x48DATA \
-	install-WebPixmapDATA
+	install-MetaInfoDATA install-VFolderEntryDATA \
+	install-WebHtmlDATA install-WebHtmlimagesDATA \
+	install-WebIcon16x16DATA install-WebIcon32x32DATA \
+	install-WebIcon48x48DATA install-WebPixmapDATA
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 install-dvi: install-dvi-am
@@ -808,10 +833,10 @@ ps-am:
 uninstall-am: uninstall-HelpHtmlDATA uninstall-HelpHtmlTxtDATA \
 	uninstall-HelpHtmldivDATA uninstall-HelpHtmlimagesDATA \
 	uninstall-HelpHtmlimgDATA uninstall-HelpHtmlrootDATA \
-	uninstall-VFolderEntryDATA uninstall-WebHtmlDATA \
-	uninstall-WebHtmlimagesDATA uninstall-WebIcon16x16DATA \
-	uninstall-WebIcon32x32DATA uninstall-WebIcon48x48DATA \
-	uninstall-WebPixmapDATA
+	uninstall-MetaInfoDATA uninstall-VFolderEntryDATA \
+	uninstall-WebHtmlDATA uninstall-WebHtmlimagesDATA \
+	uninstall-WebIcon16x16DATA uninstall-WebIcon32x32DATA \
+	uninstall-WebIcon48x48DATA uninstall-WebPixmapDATA
 
 .MAKE: install-am install-data-am install-strip
 
@@ -821,20 +846,21 @@ uninstall-am: uninstall-HelpHtmlDATA uninstall-HelpHtmlTxtDATA \
 	install install-HelpHtmlDATA install-HelpHtmlTxtDATA \
 	install-HelpHtmldivDATA install-HelpHtmlimagesDATA \
 	install-HelpHtmlimgDATA install-HelpHtmlrootDATA \
-	install-VFolderEntryDATA install-WebHtmlDATA \
-	install-WebHtmlimagesDATA install-WebIcon16x16DATA \
-	install-WebIcon32x32DATA install-WebIcon48x48DATA \
-	install-WebPixmapDATA install-am install-data install-data-am \
-	install-data-hook install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
-	uninstall-HelpHtmlDATA uninstall-HelpHtmlTxtDATA \
-	uninstall-HelpHtmldivDATA uninstall-HelpHtmlimagesDATA \
-	uninstall-HelpHtmlimgDATA uninstall-HelpHtmlrootDATA \
+	install-MetaInfoDATA install-VFolderEntryDATA \
+	install-WebHtmlDATA install-WebHtmlimagesDATA \
+	install-WebIcon16x16DATA install-WebIcon32x32DATA \
+	install-WebIcon48x48DATA install-WebPixmapDATA install-am \
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags-am uninstall uninstall-HelpHtmlDATA \
+	uninstall-HelpHtmlTxtDATA uninstall-HelpHtmldivDATA \
+	uninstall-HelpHtmlimagesDATA uninstall-HelpHtmlimgDATA \
+	uninstall-HelpHtmlrootDATA uninstall-MetaInfoDATA \
 	uninstall-VFolderEntryDATA uninstall-WebHtmlDATA \
 	uninstall-WebHtmlimagesDATA uninstall-WebIcon16x16DATA \
 	uninstall-WebIcon32x32DATA uninstall-WebIcon48x48DATA \

html/server/div/WebHTTrack-Websites.desktop

@@ -8,3 +8,6 @@ Comment=Browse Websites Mirrored by WebHTTrack
 Keywords=browse mirrored;
 Exec=webhttrack browse
 Icon=httrack
+# Helper launcher for WebHTTrack's browse mode, not a standalone app: keep it
+# out of software-center catalogs so it doesn't duplicate the main entry.
+X-AppStream-Ignore=true

html/server/div/com.httrack.WebHTTrack.metainfo.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright 2026 Xavier Roche <roche@httrack.com> -->
+<component type="desktop-application">
+  <id>com.httrack.WebHTTrack</id>
+  <metadata_license>FSFAP</metadata_license>
+  <project_license>GPL-3.0-or-later</project_license>
+  <name>WebHTTrack Website Copier</name>
+  <summary>Copy websites to your computer for offline browsing</summary>
+  <description>
+    <p>
+      WebHTTrack is the web interface to HTTrack, an offline browser utility.
+      It downloads a website from the Internet to a local directory, fetching
+      the HTML, images, and other files and rebuilding the site's link
+      structure so you can browse it offline.
+    </p>
+    <p>
+      A step-by-step web interface guides you through choosing the addresses
+      to mirror and the options to apply. Mirrors can be updated in place and
+      interrupted downloads resumed.
+    </p>
+    <p>Typical uses include:</p>
+    <ul>
+      <li>Keeping an offline copy of a website for reading without a connection</li>
+      <li>Archiving or preserving sites and capturing them for later reference</li>
+      <li>Updating an existing local mirror without downloading it again</li>
+    </ul>
+  </description>
+  <launchable type="desktop-id">WebHTTrack.desktop</launchable>
+  <icon type="stock">httrack</icon>
+  <categories>
+    <category>Network</category>
+  </categories>
+  <keywords>
+    <keyword>offline browser</keyword>
+    <keyword>website copier</keyword>
+    <keyword>mirror</keyword>
+    <keyword>crawl</keyword>
+    <keyword>archiving</keyword>
+  </keywords>
+  <url type="homepage">https://www.httrack.com/</url>
+  <url type="bugtracker">https://github.com/xroche/httrack/issues</url>
+  <developer id="com.httrack">
+    <name>Xavier Roche</name>
+  </developer>
+  <screenshots>
+    <screenshot type="default">
+      <caption>Choosing the addresses and options for a new mirror</caption>
+      <image>https://www.httrack.com/html/images/screenshot_01b.jpg</image>
+    </screenshot>
+  </screenshots>
+  <content_rating type="oars-1.1"/>
+  <releases>
+    <release version="3.49.8" date="2026-06-07"/>
+  </releases>
+</component>

lang/Makefile.in

@@ -202,6 +202,7 @@ LD = @LD@
 LDFLAGS = @LDFLAGS@
 LDFLAGS_PIE = @LDFLAGS_PIE@
 LFS_FLAG = @LFS_FLAG@
+LIBC_FORCE_LINK = @LIBC_FORCE_LINK@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@

libtest/Makefile.am

@@ -20,11 +20,12 @@ AM_CPPFLAGS += -I$(top_srcdir)/src
 
 # The callback examples reference libc only through libhttrack, so the direct
 # libc edge gets dropped from DT_NEEDED (library-not-linked-against-libc).
-# Force libc to be recorded as a dependency.
+# Force libc back; configure gates the flag since only a GNU-style linker
+# accepts it (LIBC_FORCE_LINK is empty on e.g. macOS).
 AM_LDFLAGS = \
 	@DEFAULT_LDFLAGS@ \
 	-L../src \
-	-Wl,--push-state,--no-as-needed,-lc,--pop-state
+	@LIBC_FORCE_LINK@
 
 # Examples
 libbaselinks_la_SOURCES =  callbacks-example-baselinks.c

libtest/Makefile.in

@@ -344,6 +344,7 @@ LD = @LD@
 LDFLAGS = @LDFLAGS@
 LDFLAGS_PIE = @LDFLAGS_PIE@
 LFS_FLAG = @LFS_FLAG@
+LIBC_FORCE_LINK = @LIBC_FORCE_LINK@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -453,11 +454,12 @@ AM_CPPFLAGS = @DEFAULT_CFLAGS@ @THREADS_CFLAGS@ @V6_FLAG@ @LFS_FLAG@ \
 
 # The callback examples reference libc only through libhttrack, so the direct
 # libc edge gets dropped from DT_NEEDED (library-not-linked-against-libc).
-# Force libc to be recorded as a dependency.
+# Force libc back; configure gates the flag since only a GNU-style linker
+# accepts it (LIBC_FORCE_LINK is empty on e.g. macOS).
 AM_LDFLAGS = \
 	@DEFAULT_LDFLAGS@ \
 	-L../src \
-	-Wl,--push-state,--no-as-needed,-lc,--pop-state
+	@LIBC_FORCE_LINK@
 
 
 # Examples

m4/Makefile.in

@@ -173,6 +173,7 @@ LD = @LD@
 LDFLAGS = @LDFLAGS@
 LDFLAGS_PIE = @LDFLAGS_PIE@
 LFS_FLAG = @LFS_FLAG@
+LIBC_FORCE_LINK = @LIBC_FORCE_LINK@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@

man/Makefile.in

@@ -203,6 +203,7 @@ LD = @LD@
 LDFLAGS = @LDFLAGS@
 LDFLAGS_PIE = @LDFLAGS_PIE@
 LFS_FLAG = @LFS_FLAG@
+LIBC_FORCE_LINK = @LIBC_FORCE_LINK@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@

src/Makefile.am

@@ -86,8 +86,9 @@ libhtsjava_la_SOURCES = htsjava.c htsjava.h
 libhtsjava_la_LIBADD = $(THREADS_LIBS) $(DL_LIBS) libhttrack.la
 # This thin JNI wrapper reaches libc only through libhttrack, so the direct
 # libc edge is dropped from DT_NEEDED (library-not-linked-against-libc). Force
-# libc to be recorded as a dependency.
-libhtsjava_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(VERSION_INFO) -Wl,--push-state,--no-as-needed,-lc,--pop-state
+# libc back as a dependency; configure gates the flag since only a GNU-style
+# linker accepts it (LIBC_FORCE_LINK is empty on e.g. macOS).
+libhtsjava_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(VERSION_INFO) $(LIBC_FORCE_LINK)
 
 EXTRA_DIST = httrack.h webhttrack \
 		coucal/murmurhash3.h.diff \
@@ -113,5 +114,12 @@ EXTRA_DIST = httrack.h webhttrack \
 		proxy/proxytrack.h \
 		proxy/store.h \
 		proxy/proxytrack.vcproj \
-		coucal/* \
-		*.dsw *.dsp *.vcproj
+		coucal/LICENSE \
+		coucal/Makefile \
+		coucal/README.md \
+		coucal/sample.c \
+		coucal/tests.c \
+		htsjava.vcproj \
+		httrack.dsp httrack.dsw httrack.vcproj \
+		libhttrack.dsp libhttrack.dsw libhttrack.vcproj \
+		webhttrack.dsp webhttrack.dsw webhttrack.vcproj

src/Makefile.in

@@ -361,6 +361,7 @@ LD = @LD@
 LDFLAGS = @LDFLAGS@
 LDFLAGS_PIE = @LDFLAGS_PIE@
 LFS_FLAG = @LFS_FLAG@
+LIBC_FORCE_LINK = @LIBC_FORCE_LINK@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -537,8 +538,9 @@ libhtsjava_la_SOURCES = htsjava.c htsjava.h
 libhtsjava_la_LIBADD = $(THREADS_LIBS) $(DL_LIBS) libhttrack.la
 # This thin JNI wrapper reaches libc only through libhttrack, so the direct
 # libc edge is dropped from DT_NEEDED (library-not-linked-against-libc). Force
-# libc to be recorded as a dependency.
-libhtsjava_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(VERSION_INFO) -Wl,--push-state,--no-as-needed,-lc,--pop-state
+# libc back as a dependency; configure gates the flag since only a GNU-style
+# linker accepts it (LIBC_FORCE_LINK is empty on e.g. macOS).
+libhtsjava_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(VERSION_INFO) $(LIBC_FORCE_LINK)
 EXTRA_DIST = httrack.h webhttrack \
 		coucal/murmurhash3.h.diff \
 		coucal/murmurhash3.h.orig \
@@ -563,8 +565,15 @@ EXTRA_DIST = httrack.h webhttrack \
 		proxy/proxytrack.h \
 		proxy/store.h \
 		proxy/proxytrack.vcproj \
-		coucal/* \
-		*.dsw *.dsp *.vcproj
+		coucal/LICENSE \
+		coucal/Makefile \
+		coucal/README.md \
+		coucal/sample.c \
+		coucal/tests.c \
+		htsjava.vcproj \
+		httrack.dsp httrack.dsw httrack.vcproj \
+		libhttrack.dsp libhttrack.dsw libhttrack.vcproj \
+		webhttrack.dsp webhttrack.dsw webhttrack.vcproj
 
 all: all-am
 

src/htscache.c

@@ -939,7 +939,7 @@ static htsblk cache_readex_new(httrackp * opt, cache_back * cache,
                   FILE *const fp = FOPEN(fconv(catbuff, sizeof(catbuff), previous_save), "rb");
 
                   if (fp != NULL) {
-                    r.adr = (char *) malloct((int) r.size + 4);
+                    r.adr = (char *) malloct((int) r.size + 1);
                     if (r.adr != NULL) {
                       if (r.size > 0
                           && fread(r.adr, 1, (int) r.size, fp) != r.size) {
@@ -948,7 +948,8 @@ static htsblk cache_readex_new(httrackp * opt, cache_back * cache,
                         r.statuscode = STATUSCODE_INVALID;
                         sprintf(r.msg, "Read error in cache disk data: %s",
                                 strerror(last_errno));
-                      }
+                      } else if (r.size >= 0)
+                        *(r.adr + r.size) = '\0';
                     } else {
                       r.statuscode = STATUSCODE_INVALID;
                       strcpybuff(r.msg,
@@ -965,7 +966,7 @@ static htsblk cache_readex_new(httrackp * opt, cache_back * cache,
               // Data in cache.
               else {
                 // lire fichier (d'un coup)
-                r.adr = (char *) malloct((int) r.size + 4);
+                r.adr = (char *) malloct((int) r.size + 1);
                 if (r.adr != NULL) {
                   if (unzReadCurrentFile((unzFile) cache->zipInput, r.adr, (int) r.size) != r.size) {   // erreur
                     freet(r.adr);
@@ -1245,13 +1246,14 @@ static htsblk cache_readex_old(httrackp * opt, cache_back * cache,
                     FILE *fp = FOPEN(fconv(catbuff, sizeof(catbuff), return_save), "rb");
 
                     if (fp != NULL) {
-                      r.adr = (char *) malloct((size_t) r.size + 4);
+                      r.adr = (char *) malloct((size_t) r.size + 1);
                       if (r.adr != NULL) {
                         if (r.size > 0
                             && fread(r.adr, 1, (size_t) r.size, fp) != r.size) {
                           r.statuscode = STATUSCODE_INVALID;
                           strcpybuff(r.msg, "Read error in cache disk data");
-                        }
+                        } else if (r.size >= 0)
+                          *(r.adr + r.size) = '\0';
                       } else {
                         r.statuscode = STATUSCODE_INVALID;
                         strcpybuff(r.msg,
@@ -1266,7 +1268,7 @@ static htsblk cache_readex_old(httrackp * opt, cache_back * cache,
                 }
               } else {
                 // lire fichier (d'un coup)
-                r.adr = (char *) malloct((size_t) r.size + 4);
+                r.adr = (char *) malloct((size_t) r.size + 1);
                 if (r.adr != NULL) {
                   if (fread(r.adr, 1, (size_t) r.size, cache->olddat) != r.size) {      // erreur
                     freet(r.adr);
@@ -1369,10 +1371,11 @@ int cache_readdata(cache_back * cache, const char *str1, const char *str2,
 
         cache_rint(cache->olddat, &len);
         if (len > 0) {
-          char *mem_buff = (char *) malloct(len + 4);   /* Plus byte 0 */
+          char *mem_buff = (char *) malloct(len + 1); /* trailing \0 */
 
           if (mem_buff) {
             if (fread(mem_buff, 1, len, cache->olddat) == len) {        // lire tout (y compris statuscode etc)*/
+              mem_buff[len] = '\0';
               *inbuff = mem_buff;
               *inlen = len;
               return 1;

src/htscache_selftest.c

@@ -182,6 +182,16 @@ static int check_entry(httrackp *opt, cache_back *cache, const char *adr,
     fail++;
   }
 
+  /* The loaded body must be NUL-terminated at [size]: cache_readex's strlen()
+     consumers (htscore.c:1046, htscache.c) rely on it, and a missing
+     terminator is a heap over-read. The buffer is malloc(size + slack), so
+     reading [size] is in bounds. */
+  if (r.adr != NULL && r.adr[r.size] != '\0') {
+    fprintf(stderr, "cache-selftest: %s%s: body not NUL-terminated at [size]\n",
+            adr, fil);
+    fail++;
+  }
+
 #undef CHECK_STR
 
   if (r.adr != NULL) {
@@ -208,6 +218,107 @@ static void gen_body(char *buf, size_t len, int kind) {
   }
 }
 
+/* Exercise the disk-fallback read path: a record stored with X-In-Cache: 0
+   keeps its body on disk (not in the ZIP), and cache_readex must load it from
+   there. The one-shot crawl tests never re-read such a body into memory, so
+   this path otherwise has no runtime coverage. We store the header with
+   all_in_cache=0 and a non-hypertext content-type (-> X-In-Cache: 0), create
+   the body at the exact fconv()-resolved path the reader uses, then read it
+   back and assert it round-trips and is NUL-terminated. */
+static int disk_fallback_selftest(httrackp *opt) {
+  int fail = 0;
+  cache_back cache;
+  htsblk r;
+  char catbuff[HTS_URLMAXSIZE * 2];
+  char *path;
+  char *locbuf;
+  FILE *fp;
+  const char *const adr = "example.com";
+  const char *const fil = "/blob.bin";
+  char save[HTS_URLMAXSIZE * 2];
+  /* no embedded NUL: were the read to leave this un-terminated, a later
+     strlen() would run off the end (the bug this guards) */
+  static const char body[] = "BINARY-on-disk-body-0123456789-no-trailing-nul";
+  const size_t body_len = sizeof(body) - 1;
+
+  /* X-Save must start with path_html_utf8 so the reader resolves it verbatim
+     (otherwise it re-roots it as a pre-3.40 relative path); then the body we
+     create at fconv(save) is exactly where cache_readex looks for it. */
+  fconcat(save, sizeof(save), StringBuff(opt->path_html_utf8),
+          "example.com/blob.bin");
+
+  /* write only the header (X-In-Cache: 0); the body stays on disk */
+  selftest_open_for_write(&cache, opt);
+  {
+    htsblk w;
+    char locw[4];
+    char *bodycopy = malloct(body_len);
+
+    hts_init_htsblk(&w);
+    w.statuscode = 200;
+    w.size = (LLint) body_len;
+    strcpybuff(w.msg, "OK");
+    strcpybuff(w.contenttype, "application/octet-stream");
+    locw[0] = '\0';
+    w.location = locw;
+    w.is_write = 0;
+    memcpy(bodycopy, body, body_len);
+    w.adr = bodycopy;
+    cache_add(opt, &cache, &w, adr, fil, save, 0 /* all_in_cache */, NULL);
+    freet(bodycopy);
+  }
+  selftest_close(&cache);
+
+  /* create the on-disk body where the reader will look for it */
+  path = fconv(catbuff, sizeof(catbuff), save);
+  (void) structcheck(path);
+  fp = FOPEN(path, "wb");
+  if (fp == NULL) {
+    fprintf(stderr, "cache-selftest: disk-fallback: cannot create '%s'\n",
+            path);
+    return 1;
+  }
+  if (fwrite(body, 1, body_len, fp) != body_len) {
+    fprintf(stderr, "cache-selftest: disk-fallback: short write to '%s'\n",
+            path);
+    fail++;
+  }
+  fclose(fp);
+
+  /* read it back: takes the X-In-Cache: 0 disk-fallback branch */
+  selftest_open_for_read(&cache, opt);
+  locbuf = malloct(HTS_URLMAXSIZE * 2);
+  locbuf[0] = '\0';
+  r = cache_readex(opt, &cache, adr, fil, "", locbuf, NULL, 1);
+  if (r.statuscode != 200) {
+    fprintf(stderr,
+            "cache-selftest: disk-fallback: statuscode %d, expected 200"
+            " (path not taken or read failed)\n",
+            r.statuscode);
+    fail++;
+  }
+  if (r.size != (LLint) body_len) {
+    fprintf(stderr,
+            "cache-selftest: disk-fallback: size " LLintP ", expected %d\n",
+            (LLint) r.size, (int) body_len);
+    fail++;
+  } else if (r.adr == NULL || memcmp(r.adr, body, body_len) != 0) {
+    fprintf(stderr, "cache-selftest: disk-fallback: body mismatch\n");
+    fail++;
+  }
+  /* the loaded body must be NUL-terminated at [size] */
+  if (r.adr != NULL && r.adr[r.size] != '\0') {
+    fprintf(stderr, "cache-selftest: disk-fallback: body not NUL-terminated\n");
+    fail++;
+  }
+  if (r.adr != NULL) {
+    freet(r.adr);
+  }
+  freet(locbuf);
+  selftest_close(&cache);
+  return fail;
+}
+
 int cache_selftests(httrackp *opt, const char *dir) {
   int failures = 0;
   cache_back cache;
@@ -257,6 +368,10 @@ int cache_selftests(httrackp *opt, const char *dir) {
       strcatbuff(base, "/");
     }
     StringCopy(opt->path_log, base);
+    /* the disk-fallback pass resolves on-disk body paths through fconv(), which
+       is rooted at path_html; keep it inside the test directory too */
+    StringCopy(opt->path_html, base);
+    StringCopy(opt->path_html_utf8, base);
   }
   opt->cache = 1;
 
@@ -366,6 +481,9 @@ int cache_selftests(httrackp *opt, const char *dir) {
                   "", body_updated, strlen(body_updated));
   selftest_close(&cache);
 
+  /* pass 5: the disk-fallback read path (X-In-Cache: 0, body on disk) */
+  failures += disk_fallback_selftest(opt);
+
   for (i = 0; i < large_count; i++) {
     freet(large_body[i]);
   }

src/htscore.c

@@ -2193,16 +2193,19 @@ int httpmirror(char *url1, httrackp * opt) {
                 (OPT_GET_BUFF(opt), OPT_GET_BUFF_SIZE(opt), StringBuff(opt->path_log),
                  "hts-cache/new.lst"), "rb");
         if (new_lst != NULL && sz != (size_t) -1) {
-          char *adr = (char *) malloct(sz);
+          /* +1 for the NUL below: new.lst is read raw, and the strstr()
+             that follows needs a terminated C string. */
+          char *adr = (char *) malloct(sz + 1);
 
           if (adr) {
             if (fread(adr, 1, sz, new_lst) == sz) {
+              adr[sz] = '\0';
               char line[1100];
               int purge = 0;
 
               while(!feof(old_lst)) {
                 linput(old_lst, line, 1000);
-                if (!strstr(adr, line)) {       // fichier non trouvé dans le nouveau?
+                if (!strstr(adr, line)) { // not found in the new list?
                   char BIGSTK file[HTS_URLMAXSIZE * 2];
 
                   strcpybuff(file, StringBuff(opt->path_html));

src/htsencoding.c

@@ -145,8 +145,13 @@ int hts_unescapeEntitiesWithCharset(const char *src, char *dest, const size_t ma
         if (!hex) {
           if (src[i] >= '0' && src[i] <= '9') {
             const int h = src[i] - '0';
-            uc *= 10;
-            uc += h;
+            /* Guard before multiplying: a codepoint past the Unicode max
+               (0x10FFFF) is invalid anyway, so stop rather than overflow uc. */
+            if (uc > (0x10FFFF - h) / 10) {
+              ampStart = (size_t) -1;
+            } else {
+              uc = uc * 10 + h;
+            }
           } else {
             /* abandon */
             ampStart = (size_t) -1;
@@ -156,8 +161,11 @@ int hts_unescapeEntitiesWithCharset(const char *src, char *dest, const size_t ma
         else {
           const int h = get_hex_value(src[i]);
           if (h != -1) {
-            uc *= 16;
-            uc += h;
+            if (uc > (0x10FFFF - h) / 16) {
+              ampStart = (size_t) -1;
+            } else {
+              uc = uc * 16 + h;
+            }
           } else {
             /* abandon */
             ampStart = (size_t) -1;

src/htsindex.c

@@ -334,7 +334,7 @@ void index_finish(const char *indexpath, int mode) {
     if (fp_tmpproject) {
       tab = (char **) malloct(sizeof(char *) * (hts_primindex_size + 2));
       if (tab) {
-        blk = malloct(size + 4);
+        blk = malloct(size + 1);
         if (blk) {
           fseek(fp_tmpproject, 0, SEEK_SET);
           if ((INTsys) fread(blk, 1, size, fp_tmpproject) == size) {
@@ -343,6 +343,7 @@ void index_finish(const char *indexpath, int mode) {
             int i;
             FILE *fp;
 
+            blk[size] = '\0';
             while((b = strchr(a, '\n')) && (index < hts_primindex_size)) {
               tab[index++] = a;
               *b = '\0';

src/htsparse.c

@@ -3416,8 +3416,17 @@ int htsparse(htsmoduleStruct * str, htsmoduleStructExtended * stre) {
           if (RUN_CALLBACK4(opt, postprocess, &cAddr, &cSize, urladr(), urlfil()) == 1) {
             hts_log_print(opt, LOG_DEBUG,
               "engine: postprocess-html: callback modified data, applying %d bytes", cSize);
-            TypedArraySize(output_buffer) = 0;
-            TypedArrayAppend(output_buffer, cAddr, cSize);
+            /* The callback either edits output_buffer in place (cAddr
+               unchanged) or hands back its own buffer (cAddr changed). Only
+               the latter needs a copy: re-appending output_buffer onto itself
+               would read freed memory, as the append's realloc can relocate
+               the block out from under cAddr. */
+            if (cAddr != TypedArrayElts(output_buffer)) {
+              TypedArraySize(output_buffer) = 0;
+              TypedArrayAppend(output_buffer, cAddr, cSize);
+            } else {
+              TypedArraySize(output_buffer) = (size_t) cSize;
+            }
           }
         }
 

src/proxy/store.c

@@ -1162,7 +1162,7 @@ static PT_Element PT_ReadCache__New_u(PT_Index index_, const char *url,
                     FILE *fp = fopen(file_convert(catbuff, sizeof(catbuff), previous_save), "rb");
 
                     if (fp != NULL) {
-                      r->adr = (char *) malloc(r->size + 4);
+                      r->adr = (char *) malloc(r->size + 1);
                       if (r->adr != NULL) {
                         if (r->size > 0
                             && fread(r->adr, 1, r->size, fp) != r->size) {
@@ -1172,6 +1172,7 @@ static PT_Element PT_ReadCache__New_u(PT_Index index_, const char *url,
                           sprintf(r->msg, "Read error in cache disk data: %s",
                                   strerror(last_errno));
                         }
+                        r->adr[r->size] = '\0';
                       } else {
                         r->statuscode = STATUSCODE_INVALID;
                         strcpy(r->msg,

templates/Makefile.in

@@ -202,6 +202,7 @@ LD = @LD@
 LDFLAGS = @LDFLAGS@
 LDFLAGS_PIE = @LDFLAGS_PIE@
 LFS_FLAG = @LFS_FLAG@
+LIBC_FORCE_LINK = @LIBC_FORCE_LINK@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@

tests/01_engine-cache.test

@@ -1,5 +1,8 @@
 #!/bin/bash
 #
+# Keep this POSIX-portable: the harness runs it via $(BASH), which is a plain
+# POSIX /bin/sh on some platforms (e.g. macOS), so avoid bashisms and GNU-only
+# tool flags despite the #!/bin/bash above.
 
 # Cache create/read/update logic (driven by 'httrack -#A <dir>').
 #
@@ -38,9 +41,12 @@ test -e "$dir/hts-cache/new.zip" || {
 # Sanity-check the cache footprint: the few-thousand-entry pass is expected to
 # weigh ~1-2 MB. Fail if it balloons well past that (e.g. a per-entry overhead
 # regression or runaway growth), so the cache size stays bounded.
-ceiling=$((4 * 1024 * 1024))
-bytes=$(du -sb "$dir/hts-cache" | cut -f1)
-test "$bytes" -le "$ceiling" || {
-    echo "cache footprint $bytes bytes exceeds ${ceiling} ceiling" >&2
+# du -sk (1024-byte units) is portable; GNU's -b (apparent bytes) is rejected
+# by BSD/macOS du. Block-allocated size is an upper bound on apparent size,
+# which is all a ceiling check needs.
+ceiling=$((4 * 1024)) # KiB
+kbytes=$(du -sk "$dir/hts-cache" | cut -f1)
+test "$kbytes" -le "$ceiling" || {
+    echo "cache footprint ${kbytes} KiB exceeds ${ceiling} KiB ceiling" >&2
     exit 1
 }

tests/02_manpage-regen.test

@@ -3,6 +3,10 @@
 # The committed man/httrack.1 must match what man/makeman.sh produces from the
 # current "httrack --help" output. This catches a --help change that was not
 # followed by "make -C man regen-man".
+#
+# Keep this POSIX-portable: the harness runs it via $(BASH), which is a plain
+# POSIX /bin/sh on some platforms (e.g. macOS), so avoid bashisms (such as
+# process substitution) despite the #!/bin/bash above.
 
 : "${top_srcdir:=..}"
 
@@ -20,7 +24,9 @@ command -v httrack >/dev/null 2>&1 || {
 }
 
 tmp=$(mktemp) || exit 1
-trap 'rm -f "$tmp"' EXIT
+committed_clean=$(mktemp) || exit 1
+generated_clean=$(mktemp) || exit 1
+trap 'rm -f "$tmp" "$committed_clean" "$generated_clean"' EXIT
 
 README="$top_srcdir/README" bash "$gen" httrack >"$tmp" 2>/dev/null || {
     echo "makeman.sh failed" >&2
@@ -28,12 +34,15 @@ README="$top_srcdir/README" bash "$gen" httrack >"$tmp" 2>/dev/null || {
 }
 
 # Ignore the two intentionally date-dependent lines (page date, copyright year).
+# Temp files, not process substitution, so this works under a POSIX /bin/sh.
 strip_volatile() { grep -vE '^\.TH httrack |^Copyright \(C\) 1998-'; }
+strip_volatile <"$committed" >"$committed_clean"
+strip_volatile <"$tmp" >"$generated_clean"
 
-if diff <(strip_volatile <"$committed") <(strip_volatile <"$tmp") >/dev/null; then
+if diff "$committed_clean" "$generated_clean" >/dev/null; then
     exit 0
 fi
 
 echo "man/httrack.1 is out of date. Regenerate with: make -C man regen-man" >&2
-diff <(strip_volatile <"$committed") <(strip_volatile <"$tmp") | head -40 >&2
+diff "$committed_clean" "$generated_clean" | head -40 >&2
 exit 1

tests/Makefile.in

@@ -380,6 +380,7 @@ LD = @LD@
 LDFLAGS = @LDFLAGS@
 LDFLAGS_PIE = @LDFLAGS_PIE@
 LFS_FLAG = @LFS_FLAG@
+LIBC_FORCE_LINK = @LIBC_FORCE_LINK@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@

tools/mkdeb.sh

@@ -118,7 +118,10 @@ main() {
     git -C "$repo/src/coucal" archive --format=tar --prefix=src/coucal/ HEAD |
         tar -x -C "$export_dir"
 
-    # Refresh build system and man page, then build and validate the tarball.
+    # Refresh build system and man page, then build the tarball. We build here
+    # only because regen-man needs the compiled binaries; the test suite is not
+    # run in this pass. debuild (below) runs the full suite once, with the online
+    # tests enabled, so a check here would just be a slower, offline-only repeat.
     info "regenerating build system and man page"
     (
         cd "$export_dir"
@@ -126,8 +129,6 @@ main() {
         ./configure --quiet
         make -s -j"$(nproc)"
         make -s -C man regen-man
-        info "running test suite"
-        make -s check
         # Build the tarball from a clean tree so no object files leak into it.
         make -s clean
         make -s dist