task_http: fix heap-buffer-overflow in GET fast-path + regression test

task_push_http_transfer_generic() decided whether a request is a "plain"
GET (and therefore subject to dedup via task_http_finder) by doing:

    method = net_http_connection_method(conn);
    if (memcmp(method, "GET", 3) == 0 && method[3] == '\0')

`method` is a pointer into a buffer that net_http_connection_new()
strdup'd from caller-supplied data; its allocation is exactly
strlen(method) + 1 bytes.  Two cases overrun that buffer:

1) method == NULL.  task_push_http_transfer_with_content() forwards the
   caller-supplied `method` argument straight to net_http_connection_new()
   without a NULL check; net_http_connection_new() itself permits a NULL
   method (conn->method stays NULL).  net_http_connection_method() then
   returns NULL and the memcmp dereferences it.

2) method shorter than 3 chars (e.g. "" or a 1-char custom verb).
   strdup allocates 1 or 2 bytes; memcmp reads 3 bytes regardless,
   overrunning the heap allocation.  AddressSanitizer reports:

     ==N==ERROR: AddressSanitizer: heap-buffer-overflow
     READ of size 3 at <addr> thread T0
       #0 ... memcmp
       #1 task_push_http_transfer_generic tasks/task_http.c:274
     <addr> is located 0 bytes after 2-byte region [...,...]
     allocated by thread T0 here:
       #0 ... strdup
       #1 net_http_connection_new

The trailing `method[3] == '\0'` guard happens *after* memcmp's read,
so it cannot prevent the overflow.

Replace the unsafe pair with string_is_equal(), which is bounded by the
buffer's own NUL terminator and is already used elsewhere in this file
(see task_http_finder at line 242 and the existing #include of
<string/stdstring.h>).  Add an explicit NULL guard for the method that
takes the existing error path; this also frees `conn` via the goto so
the existing ownership invariant on the error label is preserved.

Add a standalone regression test under samples/tasks/http/ and wire it
into Linux-samples-tasks CI.  The test mirrors
samples/tasks/decompress/archive_name_safety_test.c: it keeps a
verbatim copy of the predicate (the dispatch decision is local to
task_push_http_transfer_generic and not in a public header) and
exercises it against the truth-table plus the bounds-safety regression
cases ("", "X", "GE", NULL).  Inputs are strdup'd so each buffer's
allocation is exactly strlen+1, matching what net_http_connection_new()
does and making the pre-fix expression trip ASan in CI.

The Makefile honours SANITIZER= the same way samples/tasks/database/
does, and the new CI step builds with SANITIZER=address so a regression
to any unsafe expression is caught at the bounds level, not just the
truth-table level.  Verified locally: with the post-fix predicate the
test passes clean under ASan; reverting the predicate to the pre-fix
memcmp causes ASan to abort with "heap-buffer-overflow ... READ of
size 3" on the empty-string case.

build-essential on ubuntu-latest already pulls libasan via gcc-13's
libgcc-13-dev, so no apt-get changes are needed in the workflow.

Found via a focused ASan harness around the task_http.c finish-path
ownership logic.

Author: LibretroAdmin

.github/workflows/Linux-samples-tasks.yml

@@ -81,3 +81,22 @@ jobs:
           # ever amends the predicate, the copy here must follow.
           timeout 60 ./archive_name_safety_test
           echo "[pass] archive_name_safety_test"
+
+      - name: Build and run http_method_match_test (ASan)
+        shell: bash
+        working-directory: samples/tasks/http
+        run: |
+          set -eu
+          # Regression test for the heap-buffer-overflow fix in
+          # tasks/task_http.c::task_push_http_transfer_generic().
+          # Pre-fix, an unsafe memcmp(method, "GET", 3) read past
+          # the strdup'd buffer when method was NULL or shorter
+          # than 3 bytes.  Build under AddressSanitizer so a
+          # regression to the unsafe expression is caught at the
+          # bounds level, not just the truth-table level.  If
+          # task_http.c amends the GET-dispatch predicate, the
+          # copy in http_method_match_test.c must follow.
+          make clean all SANITIZER=address
+          test -x http_method_match_test
+          timeout 60 ./http_method_match_test
+          echo "[pass] http_method_match_test"

samples/tasks/http/Makefile

@@ -0,0 +1,25 @@
+TARGET := http_method_match_test
+
+SOURCES := http_method_match_test.c
+
+OBJS := $(SOURCES:.c=.o)
+
+CFLAGS += -Wall -pedantic -std=gnu99 -g -O0
+
+ifneq ($(SANITIZER),)
+   CFLAGS  := -fsanitize=$(SANITIZER) -fno-omit-frame-pointer $(CFLAGS)
+   LDFLAGS := -fsanitize=$(SANITIZER) $(LDFLAGS)
+endif
+
+all: $(TARGET)
+
+%.o: %.c
+	$(CC) -c -o $@ $< $(CFLAGS)
+
+$(TARGET): $(OBJS)
+	$(CC) -o $@ $^ $(LDFLAGS)
+
+clean:
+	rm -f $(TARGET) $(OBJS)
+
+.PHONY: clean

samples/tasks/http/http_method_match_test.c

@@ -0,0 +1,171 @@
+/* Copyright  (C) 2010-2026 The RetroArch team
+ *
+ * ---------------------------------------------------------------------------------------
+ * The following license statement only applies to this file (http_method_match_test.c).
+ * ---------------------------------------------------------------------------------------
+ *
+ * Permission is hereby granted, free of charge,
+ * to any person obtaining a copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation the rights to
+ * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
+ * and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+/* Regression test for the heap-buffer-overflow fix in
+ * tasks/task_http.c::task_push_http_transfer_generic().
+ *
+ * Original bug: the dispatch decision was
+ *
+ *     if (memcmp(method, "GET", 3) == 0 && method[3] == '\0')
+ *
+ * `method` is a strdup'd buffer whose allocation is exactly
+ * strlen(method) + 1 bytes.  When `method` is NULL or shorter than
+ * 3 bytes (e.g. "" or "X") the memcmp reads past the buffer.  The
+ * trailing method[3] guard runs *after* the read, so it cannot
+ * prevent the overflow.
+ *
+ * Fix: dispatch via string_is_equal(method, "GET") with an explicit
+ * NULL guard upstream.
+ *
+ * The match predicate is local to task_push_http_transfer_generic()
+ * and isn't in a public header, so this test keeps a verbatim copy
+ * of the relevant fragment as the oracle, exactly as
+ * archive_name_safety_test.c does for archive_name_is_safe().  If
+ * task_http.c amends the predicate, the copy here must follow.
+ *
+ * The test is most useful when built under AddressSanitizer:
+ *
+ *   make clean all SANITIZER=address
+ *   ./http_method_match_test
+ *
+ * Without ASan the post-fix expression is also bounds-safe and the
+ * test simply asserts the truth-table.  With ASan, *both* the
+ * truth-table and the bounds-safety are checked at once: building
+ * the pre-fix expression instead would trip ASan on the short/NULL
+ * inputs below.
+ *
+ * Build standalone:
+ *   cc -Wall -std=gnu99 -g -O0 -o http_method_match_test \
+ *      http_method_match_test.c
+ *   ./http_method_match_test
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdbool.h>
+
+/* Drop-in equivalent of libretro-common/string/stdstring.h's
+ * string_is_equal().  Kept local so the test compiles standalone
+ * without pulling libretro-common into the build, matching the
+ * archive_name_safety_test.c convention. */
+static inline bool string_is_equal(const char *a, const char *b)
+{
+   if (a == b)
+      return true;
+   if (!a || !b)
+      return false;
+   return strcmp(a, b) == 0;
+}
+
+/* =============== verbatim from tasks/task_http.c =============== *
+ * The fragment under test is the dispatch decision made on `method`
+ * inside task_push_http_transfer_generic(), post-fix:
+ *
+ *     if (!method)
+ *        goto error;
+ *     if (string_is_equal(method, "GET"))
+ *        ... GET fast-path ...
+ *
+ * Wrapped here as a single bool predicate that mirrors the post-fix
+ * control flow: NULL is rejected (returns false, like the goto error
+ * branch which never reaches the GET fast-path), otherwise the
+ * GET-equality test runs against the buffer's NUL terminator.
+ */
+static bool http_is_plain_get(const char *method)
+{
+   if (!method)
+      return false;
+   return string_is_equal(method, "GET");
+}
+/* =============== end verbatim copy =============== */
+
+static int failures = 0;
+
+/* expect() takes a strdup'd input so that the buffer's allocation
+ * size is exactly strlen+1 bytes, which is what
+ * net_http_connection_new() does and what makes the pre-fix code
+ * trip ASan.  A literal would sit in .rodata where the OOB read may
+ * not be caught. */
+static void expect(const char *literal_or_null, bool want)
+{
+   char *buf = literal_or_null ? strdup(literal_or_null) : NULL;
+   bool  got = http_is_plain_get(buf);
+   const char *display = literal_or_null
+      ? (literal_or_null[0] ? literal_or_null : "(empty)")
+      : "(null)";
+
+   if (got != want)
+   {
+      printf("[FAILED]  %-12s  expected %s, got %s\n",
+            display,
+            want ? "GET"     : "non-GET",
+            got  ? "GET"     : "non-GET");
+      failures++;
+   }
+   else
+   {
+      printf("[SUCCESS] %-12s  %s\n",
+            display,
+            want ? "matched GET fast-path"
+                 : "correctly not GET");
+   }
+
+   free(buf);
+}
+
+int main(void)
+{
+   /* --- the only true case --- */
+   expect("GET",      true);
+
+   /* --- non-GET methods that the function legitimately receives --- */
+   expect("POST",     false);
+   expect("PUT",      false);
+   expect("DELETE",   false);
+   expect("OPTIONS",  false);
+   expect("MKCOL",    false);
+   expect("MOVE",     false);
+
+   /* --- the bounds-safety regression cases ---
+    * Pre-fix, every one of these tripped a heap-buffer-overflow
+    * read of size 3 in memcmp().  Post-fix, string_is_equal walks
+    * to the buffer's NUL terminator and is safe on short/empty
+    * input; the NULL case is rejected by the upstream guard. */
+   expect("",         false);  /* 1-byte alloc, pre-fix read 3 */
+   expect("X",        false);  /* 2-byte alloc, pre-fix read 3 */
+   expect("GE",       false);  /* 3-byte alloc; GET prefix of "GET" but not equal */
+   expect(NULL,       false);  /* pre-fix dereferenced NULL */
+
+   /* --- near-misses that must NOT collapse to GET --- */
+   expect("GETx",     false);  /* GET prefix + extra chars */
+   expect("get",      false);  /* case sensitivity */
+   expect("GE\0T",    false);  /* embedded NUL: only "GE" is visible to strcmp */
+
+   if (failures)
+   {
+      printf("\n%d test(s) failed\n", failures);
+      return 1;
+   }
+   printf("\nAll http_is_plain_get regression tests passed.\n");
+   return 0;
+}

tasks/task_http.c

@@ -266,12 +266,19 @@ static void *task_push_http_transfer_generic(
 
    method = net_http_connection_method(conn);
 
+   /* net_http_connection_new() permits a NULL method, so
+    * net_http_connection_method() may legitimately return NULL here.
+    * Treat that as a hard error: we cannot dispatch a request without
+    * a method, and the GET fast-path below would deref NULL. */
+   if (!method)
+      goto error;
+
    /* POST requests usually mutate the server, so assume multiple calls are
     * intended, even if they're duplicated. Additionally, they may differ
     * only by the POST data, and task_http_finder doesn't look at that, so
     * unique requests could be misclassified as duplicates.
     */
-   if (memcmp(method, "GET", 3) == 0 && method[3] == '\0')
+   if (string_is_equal(method, "GET"))
    {
       task_finder_data_t find_data;
       find_data.func     = task_http_finder;