frontend/drivers: fix OOM bugs in platform startup paths across unix/dos/xdk/emscripten

Seven OOM-related bugs across four frontend/drivers/ files,
plus two pre-existing cleanup leaks uncovered during the
audit.  All on platform-startup or user-exec code paths.

=== platform_unix.c: android_app_create ===

Three issues in the Android platform driver's main
bootstrap function (runs from ANativeActivity_onCreate on
every app launch):

1. slock_new() / scond_new() return values unchecked.
   slock_new and scond_new can return NULL on OOM.  A NULL
   mutex would silently make every slock_lock/unlock a
   no-op (slock_lock NULL-tolerates by design), giving a
   race-prone android_app that 'works' but has subtle
   concurrency bugs.  A NULL cond would NULL-deref on the
   scond_wait at the bottom of the function
   (pthread_cond_wait(&NULL->cond, ...)).

2. sthread_create() return value unchecked.  If the worker
   thread fails to spawn, nothing will set android_app->
   running=true, and the 'while (!running) scond_wait(...)'
   loop at the end of the function will block forever.

3. Pre-existing leak (not caused by this series): the
   pipe(msgpipe) failure path at line 470 freed savedState
   and android_app itself but leaked the already-created
   mutex and cond.  Fixed in the same pass.

Fix for all three: guard each init step, and on any failure
fully unwind everything allocated so far (mutex/cond free,
savedState free, pipe fds close, android_app free), then
return NULL.  The caller (ANativeActivity_onCreate at line
500ish) does handle NULL cleanly.

=== platform_unix.c: frontend_unix_exec ===

Two issues in the exec path used when restarting RetroArch
with a different core:

    newargv[0] = (char*)malloc(_len);     /* _len = strlen(path) */
    strlcpy(newargv[0], path, _len);

  * malloc unchecked, strlcpy NULL-derefs on OOM.
  * strlcpy wants n bytes to write n-1 chars plus a NUL, so
    with _len == strlen(path) the final character of path
    was silently truncated.  Pre-existing off-by-one.

Fix: _len = strlen(path) + 1, NULL-check malloc, return on
OOM.  The exec call on the next line uses path directly (not
newargv[0]) so exec behaviour isn't affected by the old
truncation, but logging and downstream argv consumers see
corrupted path.

=== platform_unix.c: accessibility_speak_unix ===

    char* voice_out = (char*)malloc(3 + strlen(language));
    char* speed_out = (char*)malloc(3 + 3);
    ...
    voice_out[0] = '-';   /* NULL-deref on OOM */
    speed_out[0] = '-';

Fix: NULL-check both, goto the existing 'end:' label which
already does NULL-tolerant free()s.  The function's contract
is always-true return so accessibility speak is silently
dropped on OOM (non-critical feature degradation rather than
a user-visible error).

=== platform_dos.c: frontend_dos_exec ===

Same pattern as frontend_unix_exec but the _len=strlen+1 was
already correct in this file.  Just needs the NULL-check.

=== platform_xdk.c: frontend_xdk_get_environment_settings (Xbox 360) ===

    char *extracted_path = (char*)calloc(dwLaunchDataSize, sizeof(char));
    BYTE* pLaunchData    = (BYTE*)calloc(dwLaunchDataSize, sizeof(BYTE));

    XGetLaunchData(pLaunchData, dwLaunchDataSize);   /* NULL-deref */
    memset(extracted_path, 0, dwLaunchDataSize);     /* NULL-deref */
    strlcpy(extracted_path, pLaunchData, ...);       /* NULL-deref */

Two unchecked callocs feeding three immediate NULL-derefs on
OOM, plus a pre-existing leak: the cleanup at the bottom of
the block freed pLaunchData but not extracted_path.

Fix: joint NULL-check; on success both get freed; on failure
both get freed (free(NULL) is a no-op so no extra guards).

=== platform_emscripten.c: main ===

    emscripten_platform_data = (...)calloc(1, sizeof(...));
    ...
    emscripten_platform_data->browser = host_browser;   /* NULL-deref */

This is main() at process entry for the web build.  On OOM
we can't meaningfully continue - return 1 so the browser
shim surfaces the failure.

=== Not a bug, verified clean ===

  * platform_ps2.c lines 453/460/467: intentional memory-
    probing loop (allocate max, halve on failure).  The
    'while (s0 && (p=malloc(s0)) == NULL)' pattern with
    short-circuit && correctly leaves p at its last-assigned
    NULL when s0 hits 0, so the subsequent 'if (p) free(p)'
    is safe.
  * platform_darwin.m lines 949, 956, 1030: all three
    already NULL-checked (prior commits in this series).
  * platform_switch.c lines 487, 555: NULL-checked with
    realloc-to-tmp for the realloc site.
  * platform_wii.c:218, platform_ctr.c:329: NULL-checked.
  * platform_emscripten.c:862: line alloc fed to getline
    which per POSIX handles NULL line gracefully (allocates
    its own buffer).
  * platform_ps3/psp/uwp/win32/orbis/qnx/wiiu/gx: zero raw
    alloc sites.
  * frontend/ top-level .c files: zero raw alloc sites.

=== Thread-safety ===

android_app_create is called from the Android glue thread
during ANativeActivity_onCreate, single-threaded at that
point.  The new teardown paths happen before the worker
thread is spawned (or immediately after its failed spawn),
so no concurrent access concerns.

frontend_unix_exec, frontend_dos_exec, accessibility_speak_
unix, frontend_xdk_get_environment_settings and main() all
run single-threaded on the main thread.

=== Reachability ===

Every fix here is on a startup or user-action path:
  * android_app_create: every Android app launch / restore.
  * frontend_unix_exec / frontend_dos_exec: every 'restart
    with a different core' user action.
  * accessibility_speak_unix: every accessibility-enabled
    menu navigation event.
  * platform_xdk: every Xbox 360 content launch (auto-start
    game from dashboard).
  * platform_emscripten main: every web-build page load.

OOM during platform startup is most realistic on low-memory
embedded targets (Android handhelds, Xbox 360, web tabs with
memory pressure from other sites).

Author: LibretroAdmin

frontend/drivers/platform_dos.c

@@ -121,6 +121,15 @@ static void frontend_dos_exec(const char *path, bool should_load_game)
 #endif
 
 	newargv[0] = (char*)malloc(_len);
+	/* NULL-check malloc: the strlcpy on the next line
+	 * NULL-derefs on OOM.  Void function called from within an
+	 * exec/fork flow; logging and returning leaves the caller
+	 * able to surface the failure. */
+	if (!newargv[0])
+	{
+		RARCH_ERR("Failed to allocate argv for exec.\n");
+		return;
+	}
 	strlcpy(newargv[0], path, _len);
 
 	execv(path, newargv);

frontend/drivers/platform_emscripten.c

@@ -998,8 +998,17 @@ int main(int argc, char *argv[])
    pthread_attr_t attr;
    pthread_t thread;
 #endif
-   /* this never gets freed */
+   /* this never gets freed - emscripten_platform_data is held
+    * for the lifetime of the web-build process */
    emscripten_platform_data = (emscripten_platform_data_t *)calloc(1, sizeof(emscripten_platform_data_t));
+   /* NULL-check: the field writes a few lines down
+    * (emscripten_platform_data->browser, ->os, ->...) NULL-deref
+    * on OOM.  This is main() at process entry - if we can't even
+    * allocate the platform state struct there's no viable path
+    * forward; bail with non-zero so the browser shim can surface
+    * the failure. */
+   if (!emscripten_platform_data)
+      return 1;
 
    PlatformEmscriptenGetSystemInfo(&host_browser, &host_os);
    emscripten_platform_data->browser = host_browser;

frontend/drivers/platform_unix.c

@@ -449,6 +449,24 @@ static struct android_app* android_app_create(ANativeActivity* activity,
 
    android_app->mutex    = slock_new();
    android_app->cond     = scond_new();
+   /* NULL-check slock_new / scond_new: both can fail on OOM.
+    * Without the guards here, a NULL mutex would silently turn
+    * every slock_lock/unlock below into a no-op (slock_lock
+    * NULL-tolerates by design), giving a race-prone android_app,
+    * and a NULL cond would NULL-deref in scond_wait below
+    * (pthread_cond_wait(&NULL->cond, ...)).  Fail the whole
+    * android_app construction so ANativeActivity_onCreate returns
+    * cleanly without half-initialised state. */
+   if (!android_app->mutex || !android_app->cond)
+   {
+      if (android_app->mutex)
+         slock_free(android_app->mutex);
+      if (android_app->cond)
+         scond_free(android_app->cond);
+      free(android_app);
+      RARCH_ERR("Failed to allocate android_app locks.\n");
+      return NULL;
+   }
 
    if (savedState)
    {
@@ -471,6 +489,8 @@ static struct android_app* android_app_create(ANativeActivity* activity,
    {
       if (android_app->savedState)
         free(android_app->savedState);
+      slock_free(android_app->mutex);
+      scond_free(android_app->cond);
       free(android_app);
       return NULL;
    }
@@ -479,6 +499,23 @@ static struct android_app* android_app_create(ANativeActivity* activity,
    android_app->msgwrite = msgpipe[1];
 
    android_app->thread   = sthread_create(android_app_entry, android_app);
+   /* NULL-check sthread_create: on OOM the thread won't be
+    * spawned and nothing will set android_app->running to true,
+    * so the scond_wait loop below would block indefinitely.
+    * Tear down the partially-constructed android_app (including
+    * the just-created pipe fds) and bail. */
+   if (!android_app->thread)
+   {
+      close(msgpipe[0]);
+      close(msgpipe[1]);
+      if (android_app->savedState)
+         free(android_app->savedState);
+      slock_free(android_app->mutex);
+      scond_free(android_app->cond);
+      free(android_app);
+      RARCH_ERR("Failed to spawn android_app thread.\n");
+      return NULL;
+   }
 
    /* Wait for thread to start. */
    slock_lock(android_app->mutex);
@@ -2691,10 +2728,24 @@ static bool frontend_unix_set_fork(enum frontend_fork fork_mode)
 static void frontend_unix_exec(const char *path, bool should_load_content)
 {
    char *newargv[]    = { NULL, NULL };
-   size_t _len        = strlen(path);
+   size_t _len        = strlen(path) + 1;
 
    newargv[0] = (char*)malloc(_len);
 
+   /* NULL-check malloc: the strlcpy on the next line
+    * NULL-derefs on OOM.  Void function called from within
+    * an exec/fork flow; logging and returning leaves the
+    * caller able to retry or surface an error.  Prior to
+    * this patch _len was strlen(path) (not +1), which meant
+    * strlcpy silently truncated the last character of the
+    * path because strlcpy needs n bytes to write n-1 chars
+    * plus a NUL. */
+   if (!newargv[0])
+   {
+      RARCH_ERR("Failed to allocate argv for exec.\n");
+      return;
+   }
+
    strlcpy(newargv[0], path, _len);
 
    execv(path, newargv);
@@ -3267,6 +3318,16 @@ static bool accessibility_speak_unix(int speed,
    char* speed_out        = (char*)malloc(3 + 3);
    const char* speeds[10] = {"80", "100", "125", "150", "170", "210", "260", "310", "380", "450"};
 
+   /* NULL-check both mallocs: voice_out[0]='-' and speed_out[0]='-'
+    * below NULL-deref on OOM.  The 'end:' label does NULL-tolerant
+    * free()s on both pointers, so we can simply skip to it on
+    * either failure.  Returning true matches the function's
+    * existing always-true return contract and means the
+    * accessibility request is silently dropped rather than
+    * surfacing a user-visible error for a non-critical feature. */
+   if (!voice_out || !speed_out)
+      goto end;
+
    if (speed < 1)
       speed = 1;
    else if (speed > 10)

frontend/drivers/platform_xdk.c

@@ -185,17 +185,33 @@ static void frontend_xdk_get_environment_settings(int *argc, char *argv[],
       char *extracted_path                 = (char*)calloc(dwLaunchDataSize, sizeof(char));
       BYTE* pLaunchData                    = (BYTE*)calloc(dwLaunchDataSize, sizeof(BYTE));
 
-      XGetLaunchData(pLaunchData, dwLaunchDataSize);
-      memset(extracted_path, 0, dwLaunchDataSize);
+      /* NULL-check both callocs: memset / XGetLaunchData /
+       * strlcpy below NULL-deref on OOM.  Pre-patch
+       * extracted_path was also leaked on the happy path
+       * because the teardown at the bottom of this block
+       * only freed pLaunchData; the early return on OOM
+       * would have leaked both.  Fix: bail with both
+       * pointers freed (free(NULL) is a no-op so no extra
+       * guard needed). */
+      if (!extracted_path || !pLaunchData)
+      {
+         free(extracted_path);
+         free(pLaunchData);
+      }
+      else
+      {
+         XGetLaunchData(pLaunchData, dwLaunchDataSize);
+         memset(extracted_path, 0, dwLaunchDataSize);
 
-      strlcpy(extracted_path, pLaunchData, dwLaunchDataSize);
+         strlcpy(extracted_path, pLaunchData, dwLaunchDataSize);
 
-      /* Auto-start game */
-      if (extracted_path && *extracted_path)
-         strlcpy(path, extracted_path, sizeof(path));
+         /* Auto-start game */
+         if (*extracted_path)
+            strlcpy(path, extracted_path, sizeof(path));
 
-      if (pLaunchData)
          free(pLaunchData);
+         free(extracted_path);
+      }
    }
 #endif
    if (path && *path)