cheat_manager: fix three OOM bug clusters in cheats realloc and memory buffer init

Three separate bug clusters in cheat_manager.c, all OOM paths,
all on hot paths (cheat loading, cheat list grow, memory-map
init at core start).

=== cheat_manager_realloc: realloc-assign-self + leak ===

    val = (struct item_cheat*)
          realloc(cheat_st->cheats,
          new_size * sizeof(struct item_cheat));

    cheat_st->cheats = val ? val : NULL;

This looks like a safe realloc-to-tmp but isn't.  On OOM 'val'
is NULL and 'cheats' is still the valid old buffer per the C
realloc contract - but the line above explicitly sets cheats
to NULL, dropping the only reference and leaking the entire
container.  Worse, each entry in that container has live
.code and .desc strdup'd strings that were about to be freed
by the shrink branch above (lines 561-569 handled indices
[new_size, orig_size) but [0, min(new_size, orig_size))
still held live strings at the moment of the realloc call).

Fix: free the old buffer AND its per-entry .code/.desc strings
explicitly on OOM before NULL'ing cheats.  Preserves the
existing failure contract (size=0, cheats=NULL) that callers
at lines ~515 and ~1206 rely on:

    /* caller at 515: gates iteration on cheats non-NULL */
    for (i = orig_size; cheat_st->cheats && i < cheats; i++)

    /* caller at 1206: returns false if realloc returned false */
    if (!cheat_manager_realloc(new_size, CHEAT_HANDLER_TYPE_RETRO))
       return false;

=== cheat_manager_initialize_memory descriptor loop: two stacked bugs ===

    cheat_st->num_memory_buffers++;

    if (!cheat_st->memory_buf_list)
       cheat_st->memory_buf_list = calloc(1, sizeof(uint8_t *));
    else
       cheat_st->memory_buf_list = realloc(
             cheat_st->memory_buf_list,
             sizeof(uint8_t *) * cheat_st->num_memory_buffers);

    if (!cheat_st->memory_size_list)
       cheat_st->memory_size_list = calloc(1, sizeof(unsigned));
    else
    {
       unsigned *val = realloc(...);
       if (val)
          cheat_st->memory_size_list = val;
    }

    cheat_st->memory_buf_list [num - 1] = ...;
    cheat_st->memory_size_list[num - 1] = ...;

Two bugs:

  1. memory_buf_list uses realloc-assign-self: on OOM the old
     buffer leaks and the [num - 1] write below NULL-derefs.
  2. memory_size_list uses realloc-into-tmp with a NULL-check
     but silently ignores the failure.  That leaves the array
     one element too short while num_memory_buffers claims the
     new size.  The [num - 1] write below is then a
     heap-buffer-overflow past the end of memory_size_list.

Plus num_memory_buffers++ happens eagerly at the top, so on
OOM the count and the array lengths are out of sync.

Fix: compute new_count into a local temp, grow both lists into
temp pointers, commit both and bump num_memory_buffers only
after both succeed.  On either OOM continue to the next
descriptor (the post-loop 'if (num_memory_buffers == 0)' check
then takes the RETRO_MEMORY_SYSTEM_RAM fallback path).  The
one-slot overallocation on a partial-success path (buf_list
grew, size_list failed) is a minor waste of memory but can't
corrupt state because num_memory_buffers never advanced.

=== cheat_manager_initialize_memory fallback path: unchecked callocs ===

    cheat_st->memory_buf_list  = calloc(1, sizeof(uint8_t *));
    cheat_st->memory_size_list = calloc(1, sizeof(unsigned));
    cheat_st->num_memory_buffers = 1;
    cheat_st->memory_buf_list[0]  = ...;    /* NULL-deref on OOM */
    cheat_st->memory_size_list[0] = ...;    /* NULL-deref on OOM */

When num_memory_buffers == 0 after the descriptor loop, the
RETRO_MEMORY_SYSTEM_RAM fallback allocates two one-element
arrays and writes to [0].  Both callocs are unchecked.

Fix: NULL-check both and bail via the same MSG_CHEAT_INIT_FAIL
path used by the meminfo-failed branch a few lines above.
Free whichever calloc succeeded (free(NULL) is safe for the
other).

=== Not a bug, verified clean ===

Other alloc sites in cheat_manager.c, also checked during this
pass:
  * line 366 (cheats initial calloc) - NULL-checked with
    graceful zero-out.
  * line 552 (cheats create-if-null branch in realloc) - flows
    into the same post-alloc check that fires in the realloc
    case.
  * line 939 (prev_memory_buf) - NULL-checked with
    MSG_CHEAT_INIT_FAIL bail.
  * line 957 (matches) - NULL-checked with matching teardown
    (frees prev_memory_buf on failure).

Other top-level files swept in this pass and found clean:
  * configuration.c, dynamic.c, retroarch.c - zero raw alloc
    sites.
  * core_option_manager.c - 13 sites, all use the 'if (!(x =
    alloc(...)))' idiom.
  * core_info.c - 8 sites NULL-checked including the
    realloc-to-tmp at line 400.
  * database_info.c - 3 sites NULL-checked (lines 988, 1022,
    1204).
  * runloop.c - 2 sites NULL-checked (lines 2746, 2794) in the
    SET_SUBSYSTEM_INFO and SET_CONTROLLER_INFO environ handlers.

=== Thread-safety ===

cheat_manager_realloc runs on the main thread (invoked from
menu or cheat-file load).  cheat_manager_initialize_memory
runs on the main thread at core load (after retro_load_game).
No shared-state changes; no lock discipline changes.

=== Reachability ===

  * cheat_manager_realloc: every cheat file load, every user-
    driven cheat list grow/shrink via the menu.
  * cheat_manager_initialize_memory: every core load with
    HAVE_CHEEVOS or cheats feature enabled.  On handhelds with
    sub-256MB RAM running a memory-hungry core, the one-element
    allocs on the fallback path are cheap but the multi-
    descriptor realloc path can realloc arrays with dozens of
    entries for cores that expose many memory regions (arcade
    cores, multi-chip emulators).

Author: LibretroAdmin

cheat_manager.c

@@ -572,7 +572,38 @@ bool cheat_manager_realloc(unsigned new_size, unsigned default_handler)
             realloc(cheat_st->cheats,
             new_size * sizeof(struct item_cheat));
 
-      cheat_st->cheats = val ? val : NULL;
+      /* realloc-to-tmp: on OOM 'val' is NULL, the original
+       * cheat_st->cheats is still valid.  Pre-patch did
+       * 'cheats = val ? val : NULL' which silently leaked the
+       * valid old buffer (the pointer was the only reference).
+       *
+       * Free the old buffer explicitly on failure.  Also free
+       * per-entry .code/.desc strings for indices still present
+       * in the old buffer - the shrink branch above (lines
+       * 561-569) already handled [new_size, orig_size) but
+       * the [0, min(new_size, orig_size)) entries still hold
+       * live strings.  Without this cleanup we'd swap one leak
+       * (the container) for another (the strings inside).
+       *
+       * The failure contract here is 'size goes to 0, cheats
+       * cleared' (see the 'if (!cheat_st->cheats)' block below
+       * that sets size=0 and buf_size=0, and caller checks
+       * at line ~515 that gate on 'cheat_st->cheats &&'). */
+      if (val)
+         cheat_st->cheats = val;
+      else
+      {
+         unsigned keep = (new_size < orig_size) ? new_size : orig_size;
+         for (i = 0; i < keep; i++)
+         {
+            if (cheat_st->cheats[i].code)
+               free(cheat_st->cheats[i].code);
+            if (cheat_st->cheats[i].desc)
+               free(cheat_st->cheats[i].desc);
+         }
+         free(cheat_st->cheats);
+         cheat_st->cheats = NULL;
+      }
    }
 
    if (!cheat_st->cheats)
@@ -813,30 +844,54 @@ int cheat_manager_initialize_memory(rarch_setting_t *setting, size_t idx, bool w
                && sys_info->mmaps.descriptors[i].core.ptr
                && sys_info->mmaps.descriptors[i].core.len > 0)
          {
-            cheat_st->num_memory_buffers++;
+            /* Grow both lists atomically and bail on OOM.
+             * Pre-patch:
+             *   - num_memory_buffers++ was done first
+             *   - memory_buf_list = realloc(memory_buf_list, ...)
+             *     self-assigned on OOM (leak + NULL-deref at [i])
+             *   - memory_size_list used realloc-into-tmp with a
+             *     NULL-check but ignored the failure, which left
+             *     the array one element too small while
+             *     num_memory_buffers claimed the new size -
+             *     heap buffer overflow on the [num-1] write
+             *     below.
+             *
+             * Fix: compute new_count and grow both lists into
+             * temp pointers before incrementing num_memory_buffers.
+             * Skip this descriptor on OOM (continue outer loop);
+             * the loop's post-check 'if (cheat_st->num_memory_
+             * buffers == 0)' then falls through to the
+             * RETRO_MEMORY_SYSTEM_RAM fallback path below. */
+            unsigned new_count = cheat_st->num_memory_buffers + 1;
+            uint8_t **new_bufs;
+            unsigned *new_sizes;
 
             if (!cheat_st->memory_buf_list)
-               cheat_st->memory_buf_list = (uint8_t**)calloc(1, sizeof(uint8_t *));
+               new_bufs = (uint8_t**)calloc(1, sizeof(uint8_t *));
             else
-               cheat_st->memory_buf_list = (uint8_t**)realloc(
-                     cheat_st->memory_buf_list, sizeof(uint8_t *) * cheat_st->num_memory_buffers);
+               new_bufs = (uint8_t**)realloc(
+                     cheat_st->memory_buf_list,
+                     sizeof(uint8_t *) * new_count);
+
+            if (!new_bufs)
+               continue;
+            cheat_st->memory_buf_list = new_bufs;
 
             if (!cheat_st->memory_size_list)
-               cheat_st->memory_size_list = (unsigned*)calloc(1, sizeof(unsigned));
+               new_sizes = (unsigned*)calloc(1, sizeof(unsigned));
             else
-            {
-               unsigned *val = (unsigned*)realloc(
+               new_sizes = (unsigned*)realloc(
                      cheat_st->memory_size_list,
-                     sizeof(unsigned) *
-                     cheat_st->num_memory_buffers);
+                     sizeof(unsigned) * new_count);
 
-               if (val)
-                  cheat_st->memory_size_list = val;
-            }
+            if (!new_sizes)
+               continue;
+            cheat_st->memory_size_list = new_sizes;
 
-            cheat_st->memory_buf_list[cheat_st->num_memory_buffers  - 1] = (uint8_t*)sys_info->mmaps.descriptors[i].core.ptr;
-            cheat_st->memory_size_list[cheat_st->num_memory_buffers - 1] = (unsigned)sys_info->mmaps.descriptors[i].core.len;
-            cheat_st->total_memory_size += sys_info->mmaps.descriptors[i].core.len;
+            cheat_st->num_memory_buffers                           = new_count;
+            cheat_st->memory_buf_list[new_count  - 1]              = (uint8_t*)sys_info->mmaps.descriptors[i].core.ptr;
+            cheat_st->memory_size_list[new_count - 1]              = (unsigned)sys_info->mmaps.descriptors[i].core.len;
+            cheat_st->total_memory_size                           += sys_info->mmaps.descriptors[i].core.len;
 
             if (!cheat_st->curr_memory_buf)
                cheat_st->curr_memory_buf = (uint8_t*)sys_info->mmaps.descriptors[i].core.ptr;
@@ -863,6 +918,22 @@ int cheat_manager_initialize_memory(rarch_setting_t *setting, size_t idx, bool w
             calloc(1, sizeof(uint8_t *));
       cheat_st->memory_size_list    = (unsigned*)
             calloc(1, sizeof(unsigned));
+      /* NULL-check both callocs: the [0] writes below NULL-deref
+       * on OOM.  If either failed, free whichever succeeded and
+       * bail out to MSG_CHEAT_INIT_FAIL with the same path as
+       * the meminfo failure above. */
+      if (!cheat_st->memory_buf_list || !cheat_st->memory_size_list)
+      {
+         char msg[128];
+         size_t _len = strlcpy(msg, msg_hash_to_str(MSG_CHEAT_INIT_FAIL), sizeof(msg));
+         free(cheat_st->memory_buf_list);
+         cheat_st->memory_buf_list = NULL;
+         free(cheat_st->memory_size_list);
+         cheat_st->memory_size_list = NULL;
+         runloop_msg_queue_push(msg, _len, 1, 180, true, NULL,
+               MESSAGE_QUEUE_ICON_DEFAULT, MESSAGE_QUEUE_CATEGORY_INFO);
+         return 0;
+      }
       cheat_st->num_memory_buffers  = 1;
       cheat_st->memory_buf_list[0]  = (uint8_t*)meminfo.data;
       cheat_st->memory_size_list[0] = (unsigned)meminfo.size;