frontend/drivers/platform_emscripten: NULL-check allocs in OPFS and FetchFS boot init

LibretroAdmin · LibretroAdmin · commit ae25da3914a4 · 2026-04-24T16:02:32.000+02:00
Four unchecked allocations in the emscripten platform driver's
boot-time filesystem mount paths:

=== OPFS mount: strdup ===

    char *parent = strdup(opfs_mount);
    path_parent_dir(parent, strlen(parent));

strdup unchecked; strlen(NULL) NULL-derefs on OOM before
path_parent_dir even runs.

=== FetchFS manifest: calloc + strdup ===

    char *line = calloc(sizeof(char), max_line_len);
    ...
    char *base_url  = strdup(line);

Pre-patch the calloc was unchecked.  If it returned NULL:
- getline() glibc/musl tolerate NULL line pointer (it
  allocates its own buffer internally), so the getline call
  itself would not immediately crash.
- But the subsequent strdup(line) at line ~869 would run
  against whatever getline stored into line - if the manifest
  was empty getline would have returned -1 and we skip the
  strdup.  If non-empty, getline would have allocated a
  buffer and the strdup works.
- However, inside the while-loop at line ~885, getline is
  called again with &amp;line still pointing at getline's
  internal allocation - still fine.
- The real risk: if the initial calloc returned NULL and the
  manifest had exactly one line, we'd skip the 'base URL'
  parse but continue into wasmfs_create_fetch_backend which
  needs base_url.  This path is robustly handled by the
  existing !base_url check inside the loop.

So the calloc NULL-check is defensive rather than strictly
required.  But the consistency with the other allocations in
this block argues for adding it.

=== FetchFS per-entry: two strdups ===

    char *parent = strdup(realfs_path);
    path_parent_dir(parent, strlen(parent));
    ...
    char *parent = strdup(fetchfs_path);
    path_parent_dir(parent, strlen(parent));

Both unchecked; strlen(NULL) NULL-derefs on OOM.

=== Fix: abort() on OOM matching the init policy ===

All the other failure paths in these init blocks call
abort() (fopen failure, wasmfs_create_fetch_backend failure,
wasmfs_create_file failure, mkdir failure).  These are boot-
time filesystem mount operations on the web build; if any
of them fail there is no sensible recovery path.  Match that
policy: print a diagnostic and abort on each OOM.

No functional change when memory is available.  On a
memory-starved browser tab (rare, but can happen on mobile
or with many other tabs open) we get a clear abort with a
log message pointing at the OOM site rather than a SIGSEGV
from strlen/memcpy of NULL.

=== Swept-clean in the same pass ===

Other frontend/drivers/ files verified clean:

- platform_unix.c: 7 sites, all NULL-checked with prior
  audit comments in place (android_app, savedState, newargv
  exec fork, inotify_data, path_change_data, voice_out /
  speed_out accessibility).

- platform_darwin.m: 4 sites all guarded - watch_data /
  watches callocs with proper cleanup chain, change_data
  calloc with the prior-audit explicit-free-on-failure
  handling, the watches[i].path strdup at line ~1030 is
  intentionally unchecked because the field is only read by
  the teardown path (for free()) - strdup failure is
  benign, just means no debug-log path, teardown sees NULL
  and skips the free.

- platform_ps2.c: 3 sites all intentionally designed around
  OOM - they're memory-probing loops that halve the request
  size until malloc succeeds or size reaches 0.  Idiomatic
  for the platform.

- platform_xdk.c: 2 sites both NULL-checked with prior
  audit comments.

- platform_switch.c: 2 sites both NULL-checked (malloc with
  early-return, realloc with tmp-pattern + goto error).

- platform_wii.c: 1 site NULL-checked.

- platform_dos.c: 1 site NULL-checked with prior audit
  comment.

- platform_ctr.c: 1 site NULL-checked via 'if (code_buffer)'
  wrapping the subsequent writes.

- platform_emscripten.c main() platform data
  calloc: NULL-checked with prior audit comment - return 1
  from main() on failure.

Thread-safety: all four sites run on the emscripten main
thread at process entry / mount setup time.  No concurrency.

Reachability: emscripten memory is browser-tab-bounded; OOM
at process entry is rare but possible (especially on mobile
devices with other tabs consuming the shared memory pool).
The fix changes the failure mode from 'opaque SIGSEGV in
strlen' to 'explicit abort with OOM log message' - strictly
better for debugging.
diff --git a/frontend/drivers/platform_emscripten.c b/frontend/drivers/platform_emscripten.c
@@ -811,6 +811,14 @@ static void platform_emscripten_mount_filesystems(void)
       backend_t opfs = wasmfs_create_opfs_backend();
       {
          char *parent = strdup(opfs_mount);
+         /* NULL-check strdup: path_parent_dir/strlen on NULL parent
+          * NULL-derefs.  Match the abort() policy used for all
+          * other failures in this boot-time init path. */
+         if (!parent)
+         {
+            printf("[OPFS] out of memory duplicating mount path\n");
+            abort();
+         }
          path_parent_dir(parent, strlen(parent));
          if (!path_mkdir(parent))
          {
@@ -860,6 +868,22 @@ static void platform_emscripten_mount_filesystems(void)
         abort();
       }
       char *line = calloc(sizeof(char), max_line_len);
+      /* NULL-check the calloc: getline below receives &line and
+       * will realloc it if needed, but the getline interface
+       * requires the initial pointer to be either NULL (fine)
+       * or a valid malloc'd buffer.  On OOM 'line' stays NULL
+       * which the getline glibc implementation tolerates (it
+       * will allocate itself), but e.g. musl's getline also
+       * tolerates NULL so behaviour is consistent.  However,
+       * if the calloc succeeded and then later in this function
+       * we strdup(line) at line ~869 / line ~899, those would
+       * NULL-deref if line were NULL.  Simplest correct path:
+       * abort on OOM like the other boot-init failures. */
+      if (!line)
+      {
+         printf("[FetchFS] out of memory allocating manifest line buffer\n");
+         abort();
+      }
       __len = max_line_len;
       if (getline(&line, &__len, file) == -1 || __len == 0)
          printf("[FetchFS] missing base URL suggest empty manifest, skipping fetch initialization\n");
@@ -909,6 +933,14 @@ static void platform_emscripten_mount_filesystems(void)
             /* Make the directories for link path */
             {
                char *parent = strdup(realfs_path);
+               /* NULL-check: same pattern as opfs_mount strdup
+                * above - path_parent_dir/strlen on NULL would
+                * crash, abort to match boot-init policy. */
+               if (!parent)
+               {
+                  printf("[FetchFS] out of memory duplicating realfs path\n");
+                  abort();
+               }
                path_parent_dir(parent, strlen(parent));
                if (!path_mkdir(parent))
                {
@@ -920,6 +952,12 @@ static void platform_emscripten_mount_filesystems(void)
             /* Make the directories for URL path */
             {
                char *parent = strdup(fetchfs_path);
+               /* NULL-check: same pattern, abort on OOM. */
+               if (!parent)
+               {
+                  printf("[FetchFS] out of memory duplicating fetchfs path\n");
+                  abort();
+               }
                path_parent_dir(parent, strlen(parent));
                if (!path_mkdir(parent))
                {
