Commit 4cf2d21
committed
menu/cbs/menu_cbs_ok: NULL-check file_transfer_t allocs in network content and download paths
Three unchecked file_transfer_t allocations in menu_cbs_ok.c,
all on user-triggered menu navigation paths. Same underlying
pattern across all three: alloc -> immediate ->field write or
strlcpy(-> path, ...) which NULL-derefs on OOM.
=== cb_net_generic parent-dir transfer (line ~5163) ===
file_transfer_t *transf = (file_transfer_t*)malloc(sizeof(*transf));
parent_dir_encoded[0] = '\0';
transf->enum_idx = MSG_UNKNOWN; /* NULL-deref on OOM */
_len = fill_pathname_parent_dir(transf->path, ...);
...
Fires during 'index_dirs' navigation (online updater subdir
browsing). Void-returning function, easy to degrade.
Fix: wrap the transf-using block in 'if (transf) { ... }'.
OOM skips the parent-dir HTTP probe but doesn't crash; the
user sees the current listing without a 'go up a level'
parent entry. They can retry by navigating back and re-
entering the online updater menu.
=== generic_action_ok_network (line ~5268) ===
transf = (file_transfer_t*)calloc(1, sizeof(*transf));
strlcpy(transf->path, url_path, sizeof(transf->path)); /* NULL-deref */
task_push_http_transfer_file(url_path_encoded, ...);
return generic_action_ok_displaylist_push(...);
Fires on every 'fetch online core / content / thumbnail list'
menu action. Function returns an int from
generic_action_ok_displaylist_push which runs after the
transfer queueing.
Fix: wrap the HTTP transfer block in 'if (transf) { ... }'
so the displaylist push still runs (showing an empty list
until retry). Preserves the menu's navigation position and
return-int contract.
=== action_ok_download_generic (line ~5606) ===
transf = (file_transfer_t*)calloc(1, sizeof(*transf));
transf->enum_idx = enum_idx; /* NULL-deref on OOM */
strlcpy(transf->path, path, sizeof(transf->path));
Fires on every user-initiated download (assets, cores, shader
presets, thumbnails, overlays, etc.).
Fix: 'if (!transf) return 0;' - same return code as the success
path at the bottom of the function. Not using -1 because the
menu dispatch treats negative returns as hard failures that may
reset navigation state; 0 matches the normal return and leaves
the user where they were to retry.
=== Not a bug, verified clean ===
Other alloc sites in menu/cbs/ audited during this pass:
* menu_cbs_ok.c:5141 - menu->core_buf malloc, NULL-checked
with goto finish.
* menu_cbs_ok.c:6870 - room_data malloc, NULL-checked with
goto done.
* menu_cbs_ok.c:6884 - net_st->room_list calloc, NULL-checked
with if (room_list) guard around the memcpy loop.
* menu_cbs_ok.c:6944 - net_st->room_list calloc in discovered-
hosts callback, NULL-checked with goto done.
* The 9 cheat_manager_realloc() call sites between lines
4526-4830 are function calls into a previously-patched
realloc contract (see '8fe1c05 cheat_manager: fix three
OOM bug clusters...') not raw allocations.
strdup-based sites checked but not patched (graceful degrade):
* menu_cbs_deferred_push.c:84, 339, 342 - info->path_b /
info->path / info->label reassignments. Callers free the
old string first; a NULL replacement represents 'not set'
which downstream displaylist consumers tolerate (menu
iteration already handles missing path/label gracefully).
* menu_cbs_deferred_push.c:464 - info->exts strdup feeds
dir_list_append at menu_displaylist.c:4433 which gates on
'if (ext)' before parsing (see libretro-common/lists/
dir_list.c:326-331). NULL exts = no ext filter, still
returns a valid listing.
* menu_cbs_info.c:54 - info.label for the DISPLAYLIST_HELP
screen. Same reasoning as the deferred_push cases; NULL
label is treated as 'default help title' by downstream
consumers.
Leaving those strdup sites alone keeps the diff minimal and
avoids introducing behavioural changes to paths that weren't
actually crashing.
=== Thread-safety ===
All three fixed functions run on the main thread during menu
interaction. HTTP transfer tasks queued via
task_push_http_transfer_file run on the task worker thread but
we only queue them after the transf payload is fully populated
(the NULL-check guards skip queueing, which is what we want -
an unqueued task is a no-op). No lock discipline changes.
=== Reachability ===
Every fix site is triggered by direct user action in the menu:
* generic_action_ok_network + action_ok_download_generic fire
on every content/core/thumbnail download attempt from the
Online Updater submenu.
* cb_net_generic parent-dir transfer fires as a follow-up
when entering a subdirectory in the Online Updater.1 parent 1871bd1 commit 4cf2d21
1 file changed
Lines changed: 38 additions & 14 deletions
File tree
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5161 | 5161 | | |
5162 | 5162 | | |
5163 | 5163 | | |
5164 | | - | |
| 5164 | + | |
| 5165 | + | |
| 5166 | + | |
| 5167 | + | |
| 5168 | + | |
| 5169 | + | |
| 5170 | + | |
| 5171 | + | |
| 5172 | + | |
5165 | 5173 | | |
5166 | | - | |
| 5174 | + | |
5167 | 5175 | | |
5168 | | - | |
5169 | | - | |
5170 | | - | |
5171 | | - | |
5172 | | - | |
| 5176 | + | |
| 5177 | + | |
| 5178 | + | |
| 5179 | + | |
| 5180 | + | |
5173 | 5181 | | |
5174 | | - | |
5175 | | - | |
5176 | | - | |
5177 | | - | |
| 5182 | + | |
| 5183 | + | |
| 5184 | + | |
| 5185 | + | |
| 5186 | + | |
5178 | 5187 | | |
5179 | 5188 | | |
5180 | 5189 | | |
| |||
5257 | 5266 | | |
5258 | 5267 | | |
5259 | 5268 | | |
5260 | | - | |
| 5269 | + | |
| 5270 | + | |
| 5271 | + | |
| 5272 | + | |
| 5273 | + | |
| 5274 | + | |
| 5275 | + | |
| 5276 | + | |
| 5277 | + | |
5261 | 5278 | | |
5262 | | - | |
5263 | | - | |
| 5279 | + | |
| 5280 | + | |
| 5281 | + | |
5264 | 5282 | | |
5265 | 5283 | | |
5266 | 5284 | | |
| |||
5586 | 5604 | | |
5587 | 5605 | | |
5588 | 5606 | | |
| 5607 | + | |
| 5608 | + | |
| 5609 | + | |
| 5610 | + | |
| 5611 | + | |
| 5612 | + | |
5589 | 5613 | | |
5590 | 5614 | | |
5591 | 5615 | | |
| |||
0 commit comments