net/ssl-mbed: fix sub-context leaks on ssl_socket_init error label

LibretroAdmin · LibretroAdmin · commit 689fc11d563c · 2026-04-23T23:55:00.000+02:00
Deferred follow-up noted in e3dc586 ('ssl-mbed NULL-check calloc'). ssl_socket_init's error label (line 138 pre-patch) only did free(state), but the function initialised six mbedtls sub- contexts on 'state' before the two failure-checked calls that can branch to it: mbedtls_net_init(&state->net_ctx); mbedtls_ssl_init(&state->ctx); mbedtls_ssl_config_init(&state->conf); mbedtls_x509_crt_init(&state->ca); mbedtls_ctr_drbg_init(&state->ctr_drbg); mbedtls_entropy_init(&state->entropy); ... if (mbedtls_ctr_drbg_seed(...) != 0) goto error; if (mbedtls_x509_crt_parse(...) < 0) goto error; Each _init pairs with a matching _free that releases internally- allocated buffers (entropy pool, DRBG state, SSL and config contexts, X509 chain). Pre-patch, a ctr_drbg_seed or x509_crt_parse failure leaked all of them. Fix: mirror ssl_socket_free's teardown in the error label, in reverse of init order. Same five _free calls, same #ifdef gate for the X509 chain. mbedtls_net_free is intentionally NOT called - the net_ctx only holds state->net_ctx.fd which is the caller's fd parameter (assigned at line 120) and the caller still owns it on this error exit. ssl_socket_free similarly avoids mbedtls_net_free; it just socket_close's the fd through the separate ssl_socket_close path at line 345. The pre-existing 'if (state)' guard is now redundant (state is NULL-checked at line 102 immediately after the calloc, so the error label is only reachable with state != NULL). Kept it to minimise the diff. Thread-safety: unchanged. ssl_socket_init runs on the http- task worker thread and doesn't touch shared state. Reachability: every HTTPS connection that reaches the error label - either a ctr_drbg_seed failure (extremely rare, would indicate entropy source failure) or an x509_crt_parse failure on the bundled cacert_pem (would only happen after local cert data corruption). Neither is a common runtime condition, but when they do hit the leak is significant (~10-40KB depending on mbedtls build config) and repeated across every retry.
diff --git a/gfx/drivers/d3d9hlsl.c b/gfx/drivers/d3d9hlsl.c
@@ -3521,9 +3521,11 @@ static char *d3d9_hlsl_preprocess_includes(
                         size_t resolved_len = strlen(resolved_inc);
                         while (pos + resolved_len + 2 >= cap)
                         {
+                           char *tmp;
                            cap *= 2;
-                           out  = (char*)realloc(out, cap);
-                           if (!out) { free(resolved_inc); return NULL; }
+                           if (!(tmp = (char*)realloc(out, cap)))
+                           { free(out); free(resolved_inc); return NULL; }
+                           out = tmp;
                         }
                         memcpy(out + pos, resolved_inc, resolved_len);
                         pos += resolved_len;
@@ -3545,9 +3547,11 @@ static char *d3d9_hlsl_preprocess_includes(
       {
          while (pos + line_len + 1 >= cap)
          {
+            char *tmp;
             cap *= 2;
-            out  = (char*)realloc(out, cap);
-            if (!out) return NULL;
+            if (!(tmp = (char*)realloc(out, cap)))
+            { free(out); return NULL; }
+            out = tmp;
          }
          memcpy(out + pos, p, line_len);
          pos += line_len;
@@ -3586,9 +3590,20 @@ static bool d3d9_hlsl_buf_append(char **buf, size_t *pos, size_t *cap,
 {
    while (*pos + len + 1 >= *cap)
    {
+      char  *tmp;
       *cap *= 2;
-      *buf  = (char*)realloc(*buf, *cap);
-      if (!*buf) return false;
+      /* realloc-into-tmp: the pre-patch '*buf = realloc(*buf, *cap)'
+       * form leaked the old buffer on OOM (self-assign overwrites
+       * the only pointer to it with NULL).  On failure free the old
+       * buffer and clear the caller's pointer so they don't double-
+       * free or use a now-invalid pointer. */
+      if (!(tmp = (char*)realloc(*buf, *cap)))
+      {
+         free(*buf);
+         *buf = NULL;
+         return false;
+      }
+      *buf = tmp;
    }
    memcpy(*buf + *pos, str, len);
    *pos += len;
@@ -3756,7 +3771,13 @@ static char *d3d9_hlsl_add_struct_semantics(const char *source)
                      {
                         size_t len = (size_t)(ob + 1 - p);
                         while (opos + len + 1 >= cap)
-                        { cap *= 2; out = (char*)realloc(out, cap); if (!out) return NULL; }
+                        {
+                           char *tmp;
+                           cap *= 2;
+                           if (!(tmp = (char*)realloc(out, cap)))
+                           { free(out); return NULL; }
+                           out = tmp;
+                        }
                         memcpy(out + opos, p, len);
                         opos += len;
                      }
@@ -3805,20 +3826,38 @@ static char *d3d9_hlsl_add_struct_semantics(const char *source)
                                  size_t sl = snprintf(sem, sizeof(sem),
                                        " : TEXCOORD%d", texcoord_counter++);
                                  while (opos + sl + 2 >= cap)
-                                 { cap *= 2; out = (char*)realloc(out, cap); if (!out) return NULL; }
+                                 {
+                                    char *tmp;
+                                    cap *= 2;
+                                    if (!(tmp = (char*)realloc(out, cap)))
+                                    { free(out); return NULL; }
+                                    out = tmp;
+                                 }
                                  memcpy(out + opos, sem, sl);
                                  opos += sl;
                               }
                            }
                            while (opos + 2 >= cap)
-                           { cap *= 2; out = (char*)realloc(out, cap); if (!out) return NULL; }
+                           {
+                              char *tmp;
+                              cap *= 2;
+                              if (!(tmp = (char*)realloc(out, cap)))
+                              { free(out); return NULL; }
+                              out = tmp;
+                           }
                            out[opos++] = *mp++;
                         }
                      }
 
                      /* Copy '}' and advance past struct */
                      while (opos + 2 >= cap)
-                     { cap *= 2; out = (char*)realloc(out, cap); if (!out) return NULL; }
+                     {
+                        char *tmp;
+                        cap *= 2;
+                        if (!(tmp = (char*)realloc(out, cap)))
+                        { free(out); return NULL; }
+                        out = tmp;
+                     }
                      out[opos++] = '}';
                      p = cb;
                      continue;
@@ -3829,7 +3868,13 @@ static char *d3d9_hlsl_add_struct_semantics(const char *source)
 
          /* Regular char */
          while (opos + 2 >= cap)
-         { cap *= 2; out = (char*)realloc(out, cap); if (!out) return NULL; }
+         {
+            char *tmp;
+            cap *= 2;
+            if (!(tmp = (char*)realloc(out, cap)))
+            { free(out); return NULL; }
+            out = tmp;
+         }
          out[opos++] = *p++;
       }
 
@@ -4037,7 +4082,13 @@ static char *d3d9_hlsl_decompose_struct_samplers(const char *source)
                   /* Copy 'VARNAME;' then add sampler declaration */
                   size_t chunk = (size_t)(after + 1 - p);
                   while (opos + chunk + ilen + 40 >= cap)
-                  { cap *= 2; out = (char*)realloc(out, cap); if (!out) return NULL; }
+                  {
+                     char *tmp;
+                     cap *= 2;
+                     if (!(tmp = (char*)realloc(out, cap)))
+                     { free(out); return NULL; }
+                     out = tmp;
+                  }
                   memcpy(out + opos, p, chunk);
                   opos += chunk;
 
@@ -4076,7 +4127,13 @@ static char *d3d9_hlsl_decompose_struct_samplers(const char *source)
          }
 
          while (opos + 14 >= cap)
-         { cap *= 2; out = (char*)realloc(out, cap); if (!out) return NULL; }
+         {
+            char *tmp;
+            cap *= 2;
+            if (!(tmp = (char*)realloc(out, cap)))
+            { free(out); return NULL; }
+            out = tmp;
+         }
 
          if (has_paste)
          {
@@ -4095,7 +4152,13 @@ static char *d3d9_hlsl_decompose_struct_samplers(const char *source)
 
       /* Regular char */
       while (opos + 2 >= cap)
-      { cap *= 2; out = (char*)realloc(out, cap); if (!out) return NULL; }
+      {
+         char *tmp;
+         cap *= 2;
+         if (!(tmp = (char*)realloc(out, cap)))
+         { free(out); return NULL; }
+         out = tmp;
+      }
       out[opos++] = *p++;
    }
 
@@ -5087,8 +5150,13 @@ static char *d3d9_hlsl_fixup_cg_source(const char *source)
                   if (!already_global)
                   {
                      while (pos + hoist_len + 1 >= cap)
-                     { cap *= 2; out = (char*)realloc(out, cap);
-                       if (!out) return NULL; }
+                     {
+                        char *tmp;
+                        cap *= 2;
+                        if (!(tmp = (char*)realloc(out, cap)))
+                        { free(out); return NULL; }
+                        out = tmp;
+                     }
                      memmove(out + last_func_start + hoist_len,
                            out + last_func_start, pos - last_func_start);
                      memcpy(out + last_func_start, hoist, hoist_len);
diff --git a/libretro-common/net/net_socket_ssl_mbed.c b/libretro-common/net/net_socket_ssl_mbed.c
@@ -136,8 +136,37 @@ void* ssl_socket_init(int fd, const char *domain)
    return state;
 
 error:
+   /* Pair each non-trivial _init call above (lines 112-118) with
+    * its matching _free.  Pre-patch only free(state) was called,
+    * leaking the five mbedtls sub-context heap allocations that
+    * the _init / _free functions internally manage (entropy
+    * pool buffers, DRBG state buffers, SSL context buffers,
+    * config buffers, X509 chain).
+    *
+    * Mirrors the normal-teardown path in ssl_socket_free below
+    * (lines 355-361) in reverse of init order.  mbedtls_net_free
+    * is intentionally not called for net_ctx (line 111):
+    *   - init sets state->net_ctx.fd from the caller's fd
+    *     parameter at line 120, and the caller still owns that
+    *     fd on this error exit.
+    *   - ssl_socket_free similarly never calls mbedtls_net_free;
+    *     it just socket_close's the fd via ssl_socket_close at
+    *     line 345.
+    *
+    * The if (state) guard is redundant - the state calloc is
+    * NULL-checked at line 102 so we can't reach this label with
+    * state == NULL - but leave it to keep the diff minimal. */
    if (state)
+   {
+      mbedtls_entropy_free(&state->entropy);
+      mbedtls_ctr_drbg_free(&state->ctr_drbg);
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+      mbedtls_x509_crt_free(&state->ca);
+#endif
+      mbedtls_ssl_config_free(&state->conf);
+      mbedtls_ssl_free(&state->ctx);
       free(state);
+   }
    return NULL;
 }
 
