audio/drivers/sdl_audio: NULL-check fifo_new returns in microphone and speaker init

LibretroAdmin · LibretroAdmin · commit 01a11acff60e · 2026-04-24T02:11:23.000+02:00
Two parallel unchecked fifo_new() return values in sdl_audio.c.

=== sdl_microphone_open_mic ===

    mic-&gt;sample_buffer = fifo_new(bufsize);

    if (tmp)
    {
       fifo_write(mic-&gt;sample_buffer, tmp, bufsize);
       ...
    }

fifo_new can return NULL on OOM (see libretro-common/queues/
fifo_queue.c - malloc wrapper + inner fifo_initialize_internal
can both fail).  The 'if (tmp)' block guards the fifo_write call
only by whether the separate 'tmp' calloc succeeded - if tmp
succeeded but fifo_new failed, fifo_write(NULL, tmp, bufsize)
NULL-derefs on the first 'buffer-&gt;end' access.

Even if we skip the prefill, hot-path audio callbacks later
(sdl_audio_record_cb, sdl_microphone_read via the FIFO_READ_AVAIL
macro + fifo_read) index into mic-&gt;sample_buffer unconditionally
and crash the same way on the next incoming audio callback.

Fix: NULL-check mic-&gt;sample_buffer; 'goto error' on OOM.

The existing 'error' label only did 'free(mic); return NULL'.
This worked for the pre-existing goto site (device_id == 0,
reached before mic-&gt;lock and mic-&gt;cond get allocated) but
leaks mic-&gt;lock, mic-&gt;cond, and mic-&gt;device_id for the new
goto site (reached after lines 230-231 slock_new/scond_new and
line 192 SDL_OpenAudioDevice).  Expanded the error label to:

    if (mic-&gt;device_id &gt; 0)
       SDL_CloseAudioDevice(mic-&gt;device_id);
    #ifdef HAVE_THREADS
       slock_free(mic-&gt;lock);
       scond_free(mic-&gt;cond);
    #endif
    free(mic);

slock_free/scond_free are NULL-tolerant so the old goto site
(device_id == 0) path is unchanged: device_id guard short-
circuits the close, lock/cond are NULL-as-zero-initialised by
the outer calloc so slock_free/scond_free no-op.  New goto
site gets proper cleanup.

=== sdl_audio_init ===

    sdl-&gt;speaker_buffer = fifo_new(bufsize);

    if (tmp)
    {
       fifo_write(sdl-&gt;speaker_buffer, tmp, bufsize);
       ...
    }

Same pattern, same bug.  Hot-path sdl_audio_write (lines ~623
onwards) uses FIFO_WRITE_AVAIL and fifo_write on speaker_buffer
unconditionally; sdl_audio_playback_cb similarly uses fifo_read.

Fix: NULL-check sdl-&gt;speaker_buffer.  Bail via sdl_audio_free
which already NULL-checks speaker_device (line ~716), NULL-
checks speaker_buffer (line ~721), and HAVE_THREADS frees are
NULL-tolerant.  Only need to explicitly free 'tmp' because
ownership hasn't transferred to the fifo yet.

=== Not a bug, verified clean ===

Every other alloc site in the input and audio driver sweeps
triaged cleanly:

  * input/drivers/udev_input.c - 3 sites (touch state arrays),
    all NULL-checked and coupled by sibling 'if (!ptr)' blocks.
  * input/drivers/winraw_input.c - 2 sites NULL-checked via
    goto error.
  * input/drivers/rwebinput_input.c - 1 site (already fixed in
    an earlier commit in this series - realloc-to-tmp).
  * input/drivers_hid/{wiiusb_hid,libusb_hid,iohidmanager_hid}.c
    - 4 sites total, all NULL-checked.
  * input/drivers_keyboard/keyboard_event_xkb.c - 1 site, 'if
    (!(x = calloc(...)))' idiom.
  * input/drivers_joypad/xinput_hybrid_joypad.c - 1 site NULL-
    checked.
  * input/drivers/{switch,qnx,android}_input.c - 3 sites, all
    use the 'if (!(x = calloc(...)))' idiom.
  * audio/drivers/tinyalsa.c - 2 sites, -ENOMEM return + NULL-
    check.
  * audio/drivers/coreaudio.c - 2 sibling sites NULL-checked.
  * audio/drivers/{xenon360,switch,ps3,pipewire,alsathread,
    alsa}_audio.c - each single-site, NULL-checked via the
    driver-init pattern.

=== Thread-safety ===

sdl_microphone_open_mic and sdl_audio_init both run on the main
thread during driver init, before the SDL audio callback thread
starts.  The audio callbacks (sdl_audio_record_cb,
sdl_audio_playback_cb) are the reason the speaker/mic buffer
consistency matters - but they don't start firing until
SDL_PauseAudioDevice(..., false) which is the last call before
both init functions return.  No lock discipline changes.

=== Reachability ===

Both sites fire once per audio driver init, i.e. at RetroArch
startup with the SDL audio driver selected, and again on any
audio-settings change that re-inits the driver (sample rate
change, latency change).  fifo_new's allocation is bounded by
'device_spec.samples * 2-4 * bytes_per_sample' - a few
kilobytes on typical configs, bigger for high-latency setups
but never large enough to be OOM-prone on desktop.  On
handheld/embedded builds with memory-tight configs this
remains a realistic fault site.
diff --git a/audio/drivers/sdl_audio.c b/audio/drivers/sdl_audio.c
@@ -241,6 +241,22 @@ static void *sdl_microphone_open_mic(void *driver_context, const char *device,
 
    RARCH_DBG("[SDL audio] Initialized microphone sample queue with %u bytes.\n", bufsize);
 
+   /* NULL-check fifo_new: hot-path audio callbacks
+    * (sdl_microphone_read_cb, sdl_microphone_read) index into
+    * mic->sample_buffer unconditionally via FIFO_READ_AVAIL and
+    * fifo_read/fifo_write.  fifo_* NULL-deref on a NULL buffer
+    * pointer (see libretro-common/queues/fifo_queue.c).  Bail to
+    * the existing 'error' label on OOM - it frees 'mic' and
+    * returns NULL, same as the outer calloc-failure path at the
+    * top of this function.  'tmp' is freed by the 'if (tmp)'
+    * block below, not here (calloc may have succeeded even if
+    * fifo_new failed, so defer tmp cleanup to after the guard). */
+   if (!mic->sample_buffer)
+   {
+      free(tmp);
+      goto error;
+   }
+
    if (tmp)
    {
       fifo_write(mic->sample_buffer, tmp, bufsize);
@@ -251,6 +267,19 @@ static void *sdl_microphone_open_mic(void *driver_context, const char *device,
    return mic;
 
 error:
+   /* HAVE_THREADS may have init'd mic->lock and mic->cond between
+    * the SDL_OpenAudioDevice call and the fifo_new below.
+    * slock_free/scond_free are NULL-tolerant so the earlier goto
+    * error site (device_id == 0) where these are still NULL is
+    * fine too.  'mic' is always non-NULL at this label because
+    * the calloc at the top of the function returns early on
+    * failure without goto'ing here. */
+   if (mic->device_id > 0)
+      SDL_CloseAudioDevice(mic->device_id);
+#ifdef HAVE_THREADS
+   slock_free(mic->lock);
+   scond_free(mic->cond);
+#endif
    free(mic);
    return NULL;
 }
@@ -591,6 +620,22 @@ static void *sdl_audio_init(const char *device,
    tmp                 = calloc(1, bufsize);
    sdl->speaker_buffer = fifo_new(bufsize);
 
+   /* NULL-check fifo_new: hot-path audio callbacks
+    * (sdl_audio_playback_cb, sdl_audio_write) index into
+    * sdl->speaker_buffer unconditionally via FIFO_WRITE_AVAIL /
+    * FIFO_READ_AVAIL and fifo_read/fifo_write.  fifo_* NULL-deref
+    * on a NULL buffer.  Bail via sdl_audio_free which already
+    * handles partial init state (speaker_device guard at line
+    * ~716, speaker_buffer guard at line ~721, HAVE_THREADS locks
+    * nullable).  'tmp' is owned here on failure since we haven't
+    * transferred it to the fifo yet. */
+   if (!sdl->speaker_buffer)
+   {
+      free(tmp);
+      sdl_audio_free(sdl);
+      return NULL;
+   }
+
    if (tmp)
    {
       fifo_write(sdl->speaker_buffer, tmp, bufsize);
