= compatrator to-do list

ChatGPT 5.2 found these issues:

Findings:

  - High: Null deref if an SCF filename line is missing \n (or longer than BUFSIZ), since strchr
    can return NULL before *strchr(buf, '\n') = '\0' in read_scf main.c:231-237. This can crash
    on truncated/corrupt SCF input.
  - High: Null deref when parsing SCF metadata lines without : or missing \n, because value =
    strchr(buf, ':') and strchr(value, '\n') are unguarded in init_scf main.c:349-359. A
    malformed SCF header will crash the process.
  - Medium: sametree assumes every filename contains '/' and does pointer math on NULL when it
    doesn’t (strchr may return NULL). Relative filenames like main.c will crash in report.c:84-
    90.
  - Low: stat return value is ignored in read_scf, but its sb.st_size is used for progress math
    (main.c:209-217, main.c:268-269). If the file is removed or stat fails, this is UB and can
    lead to bogus progress or divide-by-zero.

Improvements:

  - Add defensive parsing for SCF headers and file lists (check for : and \n before deref; treat
    missing newline as valid line end). This will make corrupted or truncated SCFs fail
    gracefully with a clear error.
  - Normalize sametree by handling paths without / (treat as basename; or treat as no tree
    prefix) so single-file inputs can’t crash.
  - Check malloc/realloc for NULL in hot paths (corehook, filehook, reduce_matches) and return a
    clear error instead of potential crashes.
  - Consider validating required SCF fields (Normalization, Shred-Size, Hash-Method, Root) before
    comparisons to avoid NULL derefs downstream.