scattered OOM fixes: core_backup entries leak, netplay core_netpacket_interface and rooms_data

Three small unrelated OOM bugs found during a top-level sweep.

=== core_backup.c: core_backup_list_init entries leak on OOM ===

    if (!(entries = calloc(dir_list->size, sizeof(*entries))))
    {
       string_list_free(dir_list);
       return NULL;
    }

    if (!(backup_list = malloc(sizeof(*backup_list))))
    {
       string_list_free(dir_list);
       return NULL;     /* entries leaks here */
    }

The backup_list malloc failure path freed dir_list but not
entries.  On OOM the entries buffer (potentially large -
dir_list->size * sizeof(core_backup_list_entry_t)) was leaked.

Fix: free(entries) in the failure block.

=== network/netplay/netplay_frontend.c: core_netpacket_interface malloc ===

    net_st->core_netpacket_interface = malloc(
       sizeof(*net_st->core_netpacket_interface));
    *net_st->core_netpacket_interface = *(struct retro_netpacket_callback*)data;

malloc unchecked; the struct-copy on the next line NULL-derefs
on OOM.  Triggered by RARCH_NETPLAY_CTL_SET_CORE_PACKET_INTERFACE,
which a core calls via RETRO_ENVIRONMENT_SET_NETPACKET_INTERFACE.

Fix: NULL-check, break out of the env-dispatch case on failure.
The companion RARCH_NETPLAY_CTL_USE_CORE_PACKET_INTERFACE case
(lines ~9782) correctly reports unavailability when the pointer
is NULL ('ret = (net_st->core_netpacket_interface != NULL)'),
so skipping the copy + path-redirect gracefully signals 'no
core netpacket interface available' - strictly better than a
segfault in the middle of core init.

=== network/netplay/netplay_room_parse.c: rooms_data calloc ===

    net_st->rooms_data = (struct netplay_rooms*)
       calloc(1, sizeof(*net_st->rooms_data));

    rjson_parse_quick(buf, len, &ctx, 0, ...)

calloc unchecked.  The rjson_parse_quick member/object-start
handlers dereference net_st->rooms_data freely (line ~103
'if (!net_st->rooms_data->head)'), so OOM causes a NULL-deref
partway through JSON parsing.

Fix: NULL-check before invoking the parser and return 0 (the
existing success return).  Callers are two menu/Discord lobby
refresh paths that gate subsequent iteration on
netplay_rooms_get_count() - that function already NULL-checks
rooms_data at line 350 and returns 0, causing the 'no rooms
available' UI state.  Matches the 'empty JSON response' success
outcome.

NOTE: the inner per-room callocs inside the parse callbacks
(lines ~105 and ~110) are still unchecked.  Fixing those
properly would need threading an error flag through the entire
parse-context struct since rjson callbacks can't propagate OOM
out of the parser.  Out of scope for this patch; this commit
plugs only the outer container alloc which is the entry point
for every call.

=== Thread-safety ===

All three sites run on the main thread (menu interaction,
core env dispatch, lobby refresh).  No lock discipline changes.

=== Reachability ===

  * core_backup_list_init: every core-backup menu open, every
    core-updater restore scan.  dir_list->size scales with the
    number of backups present so the leaked buffer can be
    substantial on long-running installations.
  * core_netpacket_interface: every core that supports netplay
    via the core-packet-interface API (modern netplay-aware
    cores).
  * rooms_data: every netplay lobby refresh - both the menu's
    explicit 'refresh room list' action and Discord integration
    auto-refreshes.

Author: LibretroAdmin

core_backup.c

@@ -592,6 +592,9 @@ core_backup_list_t *core_backup_list_init(
    /* Create core backup list */
    if (!(backup_list = (core_backup_list_t*)malloc(sizeof(*backup_list))))
    {
+      /* entries was allocated by the previous if-block and
+       * would leak if we only freed dir_list here. */
+      free(entries);
       string_list_free(dir_list);
       return NULL;
    }

network/netplay/netplay_frontend.c

@@ -9770,6 +9770,13 @@ bool netplay_driver_ctl(enum rarch_netplay_ctl_state state, void *data)
             /* copy passed interface to local state */
             net_st->core_netpacket_interface = (struct retro_netpacket_callback*)
                malloc(sizeof(*net_st->core_netpacket_interface));
+            /* NULL-check: the struct-assign on the next line
+             * NULL-derefs on OOM.  On failure skip the copy and
+             * the path-redirect; USE_CORE_PACKET_INTERFACE
+             * (line ~9782) correctly reports 'not available'
+             * when the pointer is NULL. */
+            if (!net_st->core_netpacket_interface)
+               break;
             *net_st->core_netpacket_interface = *(struct retro_netpacket_callback*)data;
             /* reset savefile dir as core_netpacket_interface affects it */
             runloop_path_set_redirect(config_get_ptr(),

network/netplay/netplay_room_parse.c

@@ -288,6 +288,23 @@ int netplay_rooms_parse(const char *buf, size_t len)
    net_st->rooms_data = (struct netplay_rooms*)
       calloc(1, sizeof(*net_st->rooms_data));
 
+   /* NULL-check: the rjson_parse_quick callbacks below (at
+    * lines ~103, ~108, etc.) dereference net_st->rooms_data
+    * unconditionally in the JSON member / object-start handlers.
+    * On OOM bail before invoking the parser - 'return 0' is the
+    * existing success return, but the caller (parse_lobby_json)
+    * only iterates rooms if net_st->rooms_data is non-NULL, so
+    * the no-rooms-available outcome matches the 'no entries in
+    * the JSON' success path.
+    *
+    * The inner per-room callocs at lines ~105 and ~110 are
+    * still unchecked (they're deep inside rjson callbacks with
+    * no practical way to propagate OOM - fixing them would
+    * require threading an error flag through the entire
+    * parse-context struct, out of scope here). */
+   if (!net_st->rooms_data)
+      return 0;
+
    rjson_parse_quick(buf, len, &ctx, 0,
          netplay_json_object_member,
          netplay_json_string,