Improve memory safety

[jserv]

he codebase demonstrates generally good memory safety practices but has critical vulnerabilities in the callback/closure system.
Key findings:

• 89 malloc/calloc calls, 47 free calls - consistent allocation patterns
• Primary vulnerability: Work queue closure validation missing in src/work.c

Proper cleanup chain in twin_window_destroy() (src/window.c)

• Calls destroy callback if set
• Destroys pixmap with twin_pixmap_destroy()
• Frees window name string
• Frees window structure
• Toplevel cleanup: Proper cleanup in _twin_toplevel_destroy() with event dispatch
• Pixmap cleanup: Consistent use of twin_pixmap_destroy() across 15+ call sites

Event Handling and Work Queue Pointer Safety

• Work queue execution: _twin_run_work() (src/work.c) lacks closure validation
• Potential issue:** Work items can be queued with closures that become invalid
• No safety checks: Missing validation in twin_set_work() for closure pointer validity
• Queue deletion: Uses deferred deletion pattern with deleted flag (src/queue.c)

Buffer Overflow Risks

• String functions: Limited use of dangerous functions
  • strlen() + malloc() pattern used consistently (4 occurrences)
  • strcpy() used safely after proper allocation (2 occurrences)
  • No use of gets(), scanf(), or other dangerous functions
• Image loading:
  • GIF decoder: Uses proper bounds checking in read_num() and palette handling
  • PNG loader: Uses libpng with proper error handling and cleanup
  • TVG loader: Validates dimensions before allocation
• Buffer allocations: All image buffers allocated with calculated sizes

Use-After-Free in Callback Systems

• Work queue closures: Referenced widgets may be destroyed while work items are queued
• Timeout callbacks: Similar risk with timeout closures (src/timeout.c)
• Custom widget callbacks: Registration map may retain stale pointers after widget destruction
• Event callbacks: Window event callbacks may reference freed data
• _twin_toplevel_paint() and _twin_toplevel_layout() callbacks use top-level pointer without validation
• twin_set_timeout() accepts closure without lifetime management
• Custom widget dispatch map cleanup occurs in unregister_custom_widget() but timing may be incorrect

Expected output: overcome the above risks.

[jserv]

All memory safety vulnerabilities identified in this issue have been successfully resolved through three merged pull requests:

Fixes Implemented:

1. PR Prevent crashes from invalid closures in work/timeout queues #119 (cd2830b): Work queue and timeout closure validation

   • Added _twin_closure_is_valid() checks before callback execution
   • Validates closures at both scheduling and execution time

2. PR Add closure lifetime tracking to prevent use-after-free #120 (22ad440): Closure lifetime tracking system

   • Implemented comprehensive reference-counting closure tracker (244 lines in src/closure.c)
   • Prevents use-after-free through registry of active closures
   • Tracks reference counts and validates before callback execution

3. PR Fix use-after-free in custom widget destruction #121 (30f9dfb): Custom widget destruction fix

   • Fixed use-after-free in custom widget destruction
   • Ensures unregistration occurs before memory deallocation
   • Proper cleanup order: user dispatch → unregister → base destruction

Risk Mitigation Complete:

✅ Work queue closure validation missing → FIXED
✅ Work items queued with invalid closures → FIXED
✅ Missing validation in twin_set_work() → FIXED
✅ Timeout callback risks → FIXED
✅ Custom widget stale pointers → FIXED
✅ Event callbacks referencing freed data → FIXED
✅ Toplevel paint/layout without validation → FIXED
✅ twin_set_timeout() lifetime management → FIXED

All fixes verified in main branch. See ISSUE_118_RESOLUTION.md for detailed documentation.