libretro-common/lists/string_list: fail string_list_clone on inner malloc OOM

LibretroAdmin · LibretroAdmin · commit 6cf158d55a4c · 2026-04-23T23:55:18.000+02:00
Pre-patch: if per-element data malloc failed partway through the
clone loop, the inner branch was:

    if (slen != 0)
    {
       char *ret = (char*)malloc(slen + 1);
       if (ret)
       {
          memcpy(ret, _src, slen + 1);
          dest-&gt;elems[i].data = ret;
       }
    }

On OOM, dest-&gt;elems[i].data silently stayed NULL (pre-set at the
top of the iteration) and the loop continued.  The final return
handed back a list with dest-&gt;size set to src-&gt;size but some
.data pointers NULL.

This trap fires on every downstream consumer that assumes .data
is non-NULL, which is all of them:

  * string_list_find_elem at line 349 dereferences elems[i].data
    unconditionally in the (*p1 | 32) compare.
  * string_list_join_concat at line 200 strlcpy's from .data;
    strlcpy(dst, NULL, ...) is UB (EFAULT on glibc, crash
    elsewhere).
  * string_list_join_concat_special at line 214 - same.
  * string_list_find_elem_prefix at line 377 - tolower on *data.

Empty-string list entries are represented with slen == 0 and
never enter the malloc branch, so a NULL .data after the loop
unambiguously means 'OOM happened here' rather than 'this was
intended to be empty'.

Fix: on malloc failure, tear down everything we've allocated so
far (the j &lt; i .data buffers, the elems array, the dest
struct) and return NULL.  Callers of string_list_clone already
handle NULL returns:

  * core_info.c clones eight lists with the pattern
    'dst-&gt;x = src-&gt;x ? string_list_clone(src-&gt;x) : NULL',
    treating NULL as valid cloned-state.
  * audio/drivers/{pipewire,pulse}.c return the clone result
    directly; their callers must handle NULL anyway for the
    no-devicelist case.
  * runahead.c and tasks/task_netplay_find_content.c similarly
    assign and later test.

NULL is strictly safer and more informative than a
silently-corrupted list.

Thread-safety: string_list_clone takes a const src and produces
a fresh dest; no shared-state mutations.  No lock discipline
changes.

Reachability: every deep-clone of a string_list, which is
common for core_info records and audio device enumerations.
Per-element OOM is realistic on memory-tight platforms
(embedded handhelds, PS2, Vita) where core_info can carry
hundreds of entries each with several sub-lists of
short strings.

Scope: one function, one failure mode.  The surrounding
string_list_new, string_list_initialize, and other allocators
in this file were also on my audit list but they're already
NULL-checked properly - verified during this pass, no changes
needed there.
diff --git a/libretro-common/lists/string_list.c b/libretro-common/lists/string_list.c
@@ -431,11 +431,35 @@ struct string_list *string_list_clone(const struct string_list *src)
       if (slen != 0)
       {
          char *ret = (char*)malloc(slen + 1);
-         if (ret)
+         /* Pre-patch: on malloc failure 'dest->elems[i].data'
+          * silently stayed NULL and the loop moved on.  That left
+          * the caller holding a dest with dest->size set to
+          * src->size but some .data pointers NULL - a trap for
+          * every consumer that assumes .data is non-NULL.
+          * string_list_find_elem (line 349), string_list_
+          * join_concat (line 200), and others all dereference
+          * .data unconditionally.  Single empty-string inputs
+          * are represented by slen == 0 and never hit this
+          * branch, so NULL here always means OOM, not 'empty
+          * element was intended'.
+          *
+          * Tear down the partially-cloned destination and
+          * return NULL.  Callers of string_list_clone already
+          * handle NULL returns (clone-failure is an OOM signal)
+          * - NULL is both safer and more informative than a
+          * silently-corrupted list. */
+         if (!ret)
          {
-            memcpy(ret, _src, slen + 1);  /* memcpy > strcpy: no NUL scan */
-            dest->elems[i].data = ret;
+            size_t j;
+            for (j = 0; j < i; j++)
+               if (dest->elems[j].data)
+                  free(dest->elems[j].data);
+            free(dest->elems);
+            free(dest);
+            return NULL;
          }
+         memcpy(ret, _src, slen + 1);  /* memcpy > strcpy: no NUL scan */
+         dest->elems[i].data = ret;
       }
    }
 
