menu: fix OOM NULL-derefs in ozone list cloning and menu_list constructor

LibretroAdmin · LibretroAdmin · commit b36e9f4600fa · 2026-04-24T01:08:28.000+02:00
Three unchecked allocation sites across two menu files, all on
hot paths (menu navigation and menu init).

=== menu/drivers/ozone.c: ozone_copy_node ===

    ozone_node_t *new_node = (ozone_node_t*)malloc(sizeof(*new_node));

    *new_node              = *old_node;     /* NULL-deref on OOM */
    new_node-&gt;fullpath     = old_node-&gt;fullpath
          ? strdup(old_node-&gt;fullpath)
          : NULL;

    return new_node;

Unchecked malloc; the immediate '*new_node = *old_node' struct
copy NULL-derefs on OOM.  This function is called by
ozone_list_deep_copy on every node that has an attached
ozone_node_t userdata, which is every entry in ozone's scrolling
content lists during navigation-induced list copies (scroll,
filter, submenu entry/exit).

Fix: NULL-check and return NULL.  The single caller
(ozone_list_deep_copy) already handles a NULL return cleanly -
it writes the result directly into dst-&gt;list[j].userdata, and
downstream code (ozone_free_list_nodes, ozone's draw paths)
already tolerates NULL userdata entries (represents
'non-ozone-specific' list items like folder entries).

=== menu/drivers/ozone.c: ozone_list_deep_copy actiondata branch ===

    if (src_adata)
    {
       void *data = malloc(sizeof(menu_file_list_cbs_t));
       memcpy(data, src_adata, sizeof(menu_file_list_cbs_t));
       dst-&gt;list[j].actiondata = data;
    }

Same pattern: unchecked malloc, immediate memcpy NULL-derefs on
OOM.  Hit for every list entry that has an actiondata callback
block (which is most of them - menu cbs get attached during
setting construction).

Fix: NULL-check the malloc; on failure leave
dst-&gt;list[j].actiondata = NULL.  The surrounding code already
handles NULL actiondata (matches the 'no src_adata' branch
directly above - entries without cbs just skip action dispatch).

=== menu/menu_driver.c: menu_list_new inner mallocs ===

    for (i = 0; i &lt; list-&gt;menu_stack_size; i++)
    {
       list-&gt;menu_stack[i]           = (file_list_t*)
          malloc(sizeof(*list-&gt;menu_stack[i]));
       list-&gt;menu_stack[i]-&gt;list     = NULL;         /* NULL-deref */
       list-&gt;menu_stack[i]-&gt;capacity = 0;
       list-&gt;menu_stack[i]-&gt;size     = 0;
    }

    for (i = 0; i &lt; list-&gt;selection_buf_size; i++)
    {
       list-&gt;selection_buf[i]           = (file_list_t*)
          malloc(sizeof(*list-&gt;selection_buf[i]));
       list-&gt;selection_buf[i]-&gt;list     = NULL;      /* NULL-deref */
       list-&gt;selection_buf[i]-&gt;capacity = 0;
       list-&gt;selection_buf[i]-&gt;size     = 0;
    }

Two sibling-drift sites.  Each malloc is unchecked and the
immediate field writes NULL-deref on OOM.  Both loops init the
menu's double-buffered navigation stacks; menu_list_new runs
once per menu-driver init, so this crashes RetroArch startup if
OOM hits at exactly the wrong moment.

Fix: NULL-check each malloc, goto error on failure.
menu_list_free already handles partially-populated menu_stack /
selection_buf arrays correctly (has 'if (!menu_list-&gt;menu_stack[i])
continue' guards, and the outer arrays are calloc'd so
unallocated slots past the failure point are already NULL).

=== Thread-safety ===

ozone_list_deep_copy runs on the main/menu thread during list
refresh; menu_list_new runs during menu-driver init before any
worker threads are started.  No lock discipline changes.

=== Reachability ===

  * ozone_copy_node: every ozone list refresh with non-empty
    content (scrolling, filtering, submenu nav).
  * ozone_list_deep_copy actiondata: every ozone list entry with
    attached cbs (which is most).
  * menu_list_new: RetroArch startup menu-driver init.  Typically
    only succeeds or fails once at boot, but the size-2 initial
    lists are small so this fails only on catastrophic memory
    pressure.

=== Not a bug, verified clean ===

Also audited but found properly NULL-checked or gracefully
degrading:
  * menu/drivers/materialui.c:2365, 9092 - use the
    'if (!(x = alloc(...)))' idiom.
  * menu/drivers/rgui.c:6829 - 'if (!(x = calloc(...)))'.
  * menu/menu_setting.c:714 (SETTINGS_LIST_APPEND_internal)
    realloc-to-tmp with NULL check; caller gates config_* on
    its return.
  * menu/menu_setting.c:25854, 25915 - NULL-checked with proper
    unwind.
  * menu/menu_driver.c:4161, 4254 - NULL-checked.
  * menu/menu_screensaver.c:309 - NULL-checked.
  * menu/cbs/ and menu/widgets/ - no raw alloc sites found.
diff --git a/menu/drivers/ozone.c b/menu/drivers/ozone.c
@@ -4623,6 +4623,14 @@ static ozone_node_t *ozone_copy_node(const ozone_node_t *old_node)
 {
    ozone_node_t *new_node = (ozone_node_t*)malloc(sizeof(*new_node));
 
+   /* NULL-check the malloc: '*new_node = *old_node' on the next
+    * line NULL-derefs on OOM.  Caller in ozone_list_deep_copy
+    * handles a NULL return - it just leaves
+    * dst->list[j].userdata = NULL, which matches the 'no
+    * src_udata' branch. */
+   if (!new_node)
+      return NULL;
+
    *new_node              = *old_node;
    new_node->fullpath     = old_node->fullpath
          ? strdup(old_node->fullpath)
@@ -4662,8 +4670,17 @@ static void ozone_list_deep_copy(const file_list_t *src,
       if (src_adata)
       {
          void *data = malloc(sizeof(menu_file_list_cbs_t));
-         memcpy(data, src_adata, sizeof(menu_file_list_cbs_t));
-         dst->list[j].actiondata = data;
+         /* NULL-check the malloc before the memcpy on the next
+          * line NULL-derefs.  On OOM leave actiondata NULL -
+          * matches the 'no src_adata' branch above; file_list
+          * consumers already handle NULL actiondata entries. */
+         if (data)
+         {
+            memcpy(data, src_adata, sizeof(menu_file_list_cbs_t));
+            dst->list[j].actiondata = data;
+         }
+         else
+            dst->list[j].actiondata = NULL;
       }
 
       ++j;
diff --git a/menu/menu_driver.c b/menu/menu_driver.c
@@ -1422,6 +1422,13 @@ static menu_list_t *menu_list_new(const menu_ctx_driver_t *menu_driver_ctx)
    {
       list->menu_stack[i]           = (file_list_t*)
          malloc(sizeof(*list->menu_stack[i]));
+      /* NULL-check before the three field writes below NULL-deref
+       * on OOM.  menu_list_free tolerates a partially-populated
+       * menu_stack (has 'if (!menu_list->menu_stack[i]) continue'
+       * guards), and the array itself was calloc'd above so
+       * unallocated slots past 'i' are already NULL. */
+      if (!list->menu_stack[i])
+         goto error;
       list->menu_stack[i]->list     = NULL;
       list->menu_stack[i]->capacity = 0;
       list->menu_stack[i]->size     = 0;
@@ -1431,6 +1438,9 @@ static menu_list_t *menu_list_new(const menu_ctx_driver_t *menu_driver_ctx)
    {
       list->selection_buf[i]           = (file_list_t*)
          malloc(sizeof(*list->selection_buf[i]));
+      /* Same pattern as the menu_stack loop above. */
+      if (!list->selection_buf[i])
+         goto error;
       list->selection_buf[i]->list     = NULL;
       list->selection_buf[i]->capacity = 0;
       list->selection_buf[i]->size     = 0;
