gfx/drivers_font_renderer: fix OOM NULL-deref in bitmapfont atlas buffer and coretext bitmapData

LibretroAdmin · LibretroAdmin · commit 06106cbb1d7e · 2026-04-24T06:54:58.000+02:00
Two NULL-deref bugs reachable under OOM in the font renderer
backends.

=== bitmapfont.c (font_renderer_bmp_init) ===

font_renderer_bmp_init allocates a scaled atlas buffer and then
rasterises 256 glyphs into it:

    handle-&gt;atlas.buffer = (uint8_t*)calloc(
          handle-&gt;atlas.width * handle-&gt;atlas.height, 1);

    for (i = 0; i &lt; BMP_ATLAS_SIZE; i++)
    {
       ...
       char_to_texture(handle, i, x, y);
       ...
    }

The calloc was unchecked.  char_to_texture does

    uint8_t *target = handle-&gt;atlas.buffer + atlas_x +
          atlas_y * handle-&gt;atlas.width;
    ...
    dst[xo + yo * handle-&gt;atlas.width] = col;

which NULL-derefs on OOM.

Fixed with a NULL-check immediately after the calloc, freeing
the already-allocated 'handle' and returning NULL.  The
font_renderer_bmp_free teardown path is NULL-safe so we could
alternatively have fallen through to that, but the direct
free(handle)+return NULL is a minimal-diff fix.

=== coretext.c (ct_font_renderer_get_glyph) ===

The per-glyph rendering path calloc's a scratch bitmap, passes
it to CGBitmapContextCreate, draws the glyph via CoreText, then
byte-wise copies the bitmap into the shared atlas:

    bitmapData = calloc(slot-&gt;glyph.height, slot-&gt;glyph.width);
    offscreen  = CGBitmapContextCreate(bitmapData, ...);
    if (!offscreen) { free(bitmapData); return false; }
    ...
    src = (const uint8_t*)bitmapData;
    for (r = 0; r &lt; slot-&gt;glyph.height; r++)
       for (c = 0; c &lt; slot-&gt;glyph.width; c++)
          dst[r * handle-&gt;atlas.width + c] =
             src[r * slot-&gt;glyph.width + c];

CGBitmapContextCreate is NULL-tolerant in its 'data' parameter
- when NULL it allocates its own backing store.  So on OOM
the flow was:
  1. bitmapData = NULL.
  2. CGBitmapContextCreate creates a valid context with its
     own backing store.
  3. CoreText renders into that internal store.
  4. The 'src' copy loop dereferences bitmapData (NULL) and
     segfaults.

A subtle failure mode because the first two steps succeed
and the third (internally) works - only the atlas copy
crashes, which in a stack trace looks like a CoreText /
GPU issue rather than an OOM.

Fixed with a NULL-check on bitmapData before the
CGBitmapContextCreate call.  Returning false here matches the
return-false behaviour on the !offscreen branch below - the
caller handles missing glyphs gracefully (glyph slot stays
uninitialised, rendering falls back to whitespace).

=== Swept-clean in the same pass ===

Verified via visual inspection of every calloc/malloc/realloc
call in the renderer files that all other sites were already
NULL-checked:

- bitmapfont.c   : 3 sites (lines 58, 67, 75) all guarded.
- bitmapfont_6x10.c / bitmapfont_10x10.c: all sites guarded.
- stb.c / stb_unicode.c: all sites guarded.
- freetype.c : all sites guarded.
- font_driver.c: single site guarded (prior fix, commit
  landed earlier).

Thread-safety: both bugs are in one-shot init paths called
from the main video thread at atlas creation time; no
concurrency concerns.

Reachability: OOM on a 512x512 calloc (bitmapfont atlas) or a
much smaller per-glyph calloc (coretext bitmapData) is
unlikely on desktop builds but realistic on memory-constrained
embedded targets where RetroArch runs - especially the
bitmapfont path which is the fallback when no TTF renderer is
available.
diff --git a/gfx/drivers_font_renderer/bitmapfont.c b/gfx/drivers_font_renderer/bitmapfont.c
@@ -185,6 +185,17 @@ static void *font_renderer_bmp_init(const char *font_path, float font_size)
    handle->atlas.height    = (BMP_ATLAS_PADDING + (FONT_HEIGHT * handle->scale_factor)) * BMP_ATLAS_ROWS;
    handle->atlas.buffer    = (uint8_t*)calloc(handle->atlas.width * handle->atlas.height, 1);
 
+   /* NULL-check atlas.buffer: char_to_texture below writes into
+    * handle->atlas.buffer[x + y * atlas.width] and would NULL-
+    * deref on OOM.  font_renderer_bmp_free NULL-safely frees
+    * atlas.buffer via the free(NULL) no-op, so we can bail out
+    * via free(handle) alone. */
+   if (!handle->atlas.buffer)
+   {
+      free(handle);
+      return NULL;
+   }
+
    for (i = 0; i < BMP_ATLAS_SIZE; i++)
    {
       unsigned x           = (i % BMP_ATLAS_COLS) *
diff --git a/gfx/drivers_font_renderer/coretext.c b/gfx/drivers_font_renderer/coretext.c
@@ -291,6 +291,14 @@ static bool coretext_font_renderer_render_glyph(CTFontRef face, ct_font_renderer
 
    /* Create bitmap context */
    bitmapData = calloc(slot->glyph.height, slot->glyph.width);
+   /* NULL-check: CGBitmapContextCreate tolerates NULL (it will
+    * allocate its own backing store), but the byte-wise copy
+    * into the atlas at lines ~321-325 dereferences bitmapData
+    * as 'src'.  If we proceeded on NULL, CoreGraphics might
+    * give us a valid context, we'd draw into it, and then
+    * NULL-deref on the atlas copy step.  Fail cleanly now. */
+   if (!bitmapData)
+      return false;
    offscreen  = CGBitmapContextCreate(bitmapData, slot->glyph.width, slot->glyph.height,
                                       8, slot->glyph.width, NULL, kCGImageAlphaOnly);
 
