input/bsv: bound key_event_count and input_event_count against array size

LibretroAdmin · LibretroAdmin · commit 003a1ff74bdf · 2026-04-28T03:47:05.000+02:00
bsv_movie_handle_read_input_event's read path read attacker-
controlled event counts straight from the .bsv replay file
and used them as loop bounds, indexing into fixed-size
arrays:

  uint8_t   key_event_count;            (.bsv format)
  uint16_t  input_event_count;          (.bsv format)

  bsv_key_data_t   key_events[128];     (struct bsv_movie)
  bsv_input_data_t input_events[512];   (struct bsv_movie)

Pre-this-patch the read loops at lines 822-836 (key) and
848-862 (input) iterated count-times into the fixed-size
arrays with no upper-bound check.  A malformed .bsv could
supply:

  - key_event_count = 255 -&gt; (255-128)*sizeof(bsv_key_data_t)
                         = 1524 bytes of OOB heap-write past
                         key_events[]
  - input_event_count = 65535 -&gt;
                         (65535-512)*sizeof(bsv_input_data_t)
                         = 520184 bytes of OOB heap-write
                         past input_events[]

bsv_movie_t is heap-allocated via calloc in
tasks/task_movie.c::bsv_movie_init_internal so this is a
heap-buffer-overflow with attacker-chosen 8- or 12-byte
payloads at attacker-chosen offsets, producing corruption
of the rest of the bsv_movie_t struct (rewind state,
statestream pointers, save buffers) and far beyond it.

Reachability: the user opens a malformed .bsv file via
Menu -&gt; "Load Replay File" or the --bsvplay command-line
argument.  Same threat class as CDFS / CHD / BPS file-load
bugs -- requires the user to deliberately load attacker-
supplied content.  Initial audit notes flagged this as
netplay-reachable but verification of network/netplay/
netplay_frontend.c shows that netplay's "replay" terminology
refers to internal frame-replay from the netplay ring buffer
and does not invoke the .bsv file-read path; this is a
file-loading bug only.

Fix: in input/bsv/bsvmovie.c, reject the file as malformed
and end playback if either count exceeds its array's
ARRAY_SIZE.  A legitimate writer cannot produce more events
than the array holds because the writer's append path at
lines 489-490 / 475-476 shares the same backing array.

Adds samples/tasks/bsv_replay/bsv_replay_bounds_test as a
regression test, registered in
.github/workflows/Linux-samples-tasks.yml as an ASan-enabled
step.  Four cases covering legitimate counts up to and
including the cap, and out-of-range counts being rejected
without writes.

Test follows the existing samples/tasks pattern (verbatim
copy of the post-fix predicate with maintenance-contract
comment, ASan as the discriminator).  Verified to fire
under ASan when the predicate always returns true:
heap-buffer-overflow WRITE of size 1 at offset 1536 of a
1536-byte allocation in simulate_key_event_read.  With the
predicate the test passes clean.

Note on writer side: the append site at line 489
   movie-&gt;input_events[movie-&gt;input_event_count++] = data;
has no bound check either, but it's not fed by attacker
data and a single frame is unlikely to produce more than
512 events in practice.  Not addressed by this commit; left
for a separate audit pass.
diff --git a/.github/workflows/Linux-samples-tasks.yml b/.github/workflows/Linux-samples-tasks.yml
@@ -150,3 +150,24 @@ jobs:
           test -x input_remap_bounds_test
           timeout 60 ./input_remap_bounds_test
           echo "[pass] input_remap_bounds_test"
+
+      - name: Build and run bsv_replay_bounds_test (ASan)
+        shell: bash
+        working-directory: samples/tasks/bsv_replay
+        run: |
+          set -eu
+          # Regression test for the .bsv replay-file event-count
+          # bounds in input/bsv/bsvmovie.c.  Pre-fix a malformed
+          # replay file with key_event_count > 128 or
+          # input_event_count > 512 caused a heap-buffer-overflow
+          # write into bsv_movie_t (a calloc'd struct) with
+          # attacker-chosen 8/12-byte payloads at attacker-chosen
+          # offsets up to ~500KB.  Build under AddressSanitizer
+          # so any reintroduction of the unbounded count is caught
+          # at the bounds level.  If input/bsv/bsvmovie.c amends
+          # the predicate, the verbatim copy in
+          # bsv_replay_bounds_test.c must follow.
+          make clean all SANITIZER=address
+          test -x bsv_replay_bounds_test
+          timeout 60 ./bsv_replay_bounds_test
+          echo "[pass] bsv_replay_bounds_test"
diff --git a/input/bsv/bsvmovie.c b/input/bsv/bsvmovie.c
@@ -822,6 +822,25 @@ bool bsv_movie_read_next_events(bsv_movie_t *handle,
    if (intfstream_read(handle->file, &(handle->key_event_count), 1) == 1)
    {
       int i;
+      /* key_events is a fixed-size bsv_key_data_t[128] (input_driver.h
+       * line ~259); key_event_count is uint8_t and read straight from
+       * the .bsv file with no inherent bound (max 255).  Pre-this-patch
+       * a malformed replay file could supply 129..255 here and the
+       * intfstream_read into &handle->key_events[i] would OOB-write up
+       * to (255-128)*12 = 1524 bytes past the end of the array, into
+       * adjacent fields of bsv_movie_t (input_event_count,
+       * input_events[]) and beyond.  Reject as malformed -- a
+       * legitimate writer cannot produce more than 128 key events per
+       * frame because it shares the same backing array. */
+      if (handle->key_event_count > ARRAY_SIZE(handle->key_events))
+      {
+         RARCH_ERR("[Replay] key_event_count %u exceeds storage capacity %u; rejecting malformed replay\n",
+               (unsigned)handle->key_event_count,
+               (unsigned)ARRAY_SIZE(handle->key_events));
+         if (end_movie)
+            input_st->bsv_movie_state.flags |= BSV_FLAG_MOVIE_END;
+         return false;
+      }
       for (i = 0; i < handle->key_event_count; i++)
       {
          if (intfstream_read(handle->file, &(handle->key_events[i]),
@@ -849,6 +868,27 @@ bool bsv_movie_read_next_events(bsv_movie_t *handle,
       {
          int i;
          handle->input_event_count = swap_if_big16(handle->input_event_count);
+         /* Same shape as the key_event_count check above: input_events
+          * is bsv_input_data_t[512] (input_driver.h line ~260) but
+          * input_event_count is uint16_t read straight from the .bsv
+          * (max 65535).  Pre-this-patch a malformed replay file with
+          * a count of 65535 would have driven the loop below into
+          * (65535-512)*8 = 520184 bytes of OOB heap-write past
+          * input_events[], corrupting the rest of the bsv_movie_t
+          * struct (rewind state, statestream pointers, save buffers)
+          * and far beyond.  bsv_movie_t is heap-allocated via calloc
+          * in tasks/task_movie.c::bsv_movie_init_internal so this is
+          * a heap-buffer-overflow with attacker-chosen 8-byte values
+          * at attacker-chosen offsets up to ~500KB. */
+         if (handle->input_event_count > ARRAY_SIZE(handle->input_events))
+         {
+            RARCH_ERR("[Replay] input_event_count %u exceeds storage capacity %u; rejecting malformed replay\n",
+                  (unsigned)handle->input_event_count,
+                  (unsigned)ARRAY_SIZE(handle->input_events));
+            if (end_movie)
+               input_st->bsv_movie_state.flags |= BSV_FLAG_MOVIE_END;
+            return false;
+         }
          for (i = 0; i < handle->input_event_count; i++)
          {
             if (intfstream_read(handle->file, &(handle->input_events[i]),
diff --git a/samples/tasks/bsv_replay/Makefile b/samples/tasks/bsv_replay/Makefile
@@ -0,0 +1,25 @@
+TARGET := bsv_replay_bounds_test
+
+SOURCES := bsv_replay_bounds_test.c
+
+OBJS := $(SOURCES:.c=.o)
+
+CFLAGS += -Wall -pedantic -std=gnu99 -g -O0
+
+ifneq ($(SANITIZER),)
+   CFLAGS  := -fsanitize=$(SANITIZER) -fno-omit-frame-pointer $(CFLAGS)
+   LDFLAGS := -fsanitize=$(SANITIZER) $(LDFLAGS)
+endif
+
+all: $(TARGET)
+
+%.o: %.c
+	$(CC) -c -o $@ $< $(CFLAGS)
+
+$(TARGET): $(OBJS)
+	$(CC) -o $@ $^ $(LDFLAGS)
+
+clean:
+	rm -f $(TARGET) $(OBJS)
+
+.PHONY: clean
diff --git a/samples/tasks/bsv_replay/bsv_replay_bounds_test.c b/samples/tasks/bsv_replay/bsv_replay_bounds_test.c
@@ -0,0 +1,270 @@
+/* Copyright  (C) 2010-2026 The RetroArch team
+ *
+ * ---------------------------------------------------------------------------------------
+ * The following license statement only applies to this file (bsv_replay_bounds_test.c).
+ * ---------------------------------------------------------------------------------------
+ *
+ * Permission is hereby granted, free of charge,
+ * to any person obtaining a copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation the rights to
+ * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
+ * and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+/* Regression test for the .bsv replay-file event-count bounds in
+ * input/bsv/bsvmovie.c.
+ *
+ * The .bsv replay format stores per-frame input events as:
+ *   uint8_t  key_event_count;
+ *   bsv_key_data_t   key_events[key_event_count];
+ *   uint16_t input_event_count;       (versions > 0)
+ *   bsv_input_data_t input_events[input_event_count];
+ *
+ * The runtime stores those into fixed-size arrays:
+ *   bsv_key_data_t   key_events[128];        (struct bsv_movie)
+ *   bsv_input_data_t input_events[512];      (struct bsv_movie)
+ *
+ * Pre-fix, the read loop iterated count-times into the
+ * fixed-size array with no upper bound check.  A malformed
+ * .bsv with key_event_count = 255 wrote up to (255-128)*12 =
+ * 1524 bytes past key_events[]; with input_event_count =
+ * 65535, up to (65535-512)*8 = 520184 bytes past
+ * input_events[].  bsv_movie_t is heap-allocated via calloc
+ * in tasks/task_movie.c so this was a heap-buffer-overflow
+ * with attacker-chosen 8- or 12-byte payloads at attacker-
+ * chosen offsets.
+ *
+ * Reachability: user opens a malicious .bsv file (Menu ->
+ * Load Replay File or --bsvplay).  Same threat class as
+ * other file-loading bugs (CDFS / CHD / BPS).
+ *
+ * Fix: in input/bsv/bsvmovie.c, reject the file as malformed
+ * if either count exceeds its array size.  A legitimate
+ * writer cannot produce more events than the array holds
+ * because the same array backs the writer's append path.
+ *
+ * IMPORTANT: this test keeps a verbatim copy of the post-fix
+ * bound-check predicate.  If input/bsv/bsvmovie.c amends the
+ * predicate, the copy below must follow.  Convention used by
+ * archive_name_safety_test, http_method_match_test,
+ * video_shader_wildcard_test, input_remap_bounds_test in
+ * this directory tree.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+/* Mirror constants from input/input_driver.h. */
+#define KEY_EVENTS_CAP    128
+#define INPUT_EVENTS_CAP  512
+
+/* Mirror layout of bsv_key_data and bsv_input_data from
+ * input/input_driver.h lines 221-240. */
+typedef struct {
+   uint8_t  down;
+   uint8_t  _padding;
+   uint16_t mod;
+   uint32_t code;
+   uint32_t character;
+} mock_key_data_t;
+
+typedef struct {
+   uint8_t  port;
+   uint8_t  device;
+   uint8_t  idx;
+   uint8_t  _padding;
+   uint16_t id;
+   int16_t  value;
+} mock_input_data_t;
+
+#ifndef ARRAY_SIZE
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#endif
+
+static int failures = 0;
+
+/* === verbatim copy of the post-fix bound-check predicate
+ *     from input/bsv/bsvmovie.c.  Returns 1 if the count is
+ *     valid, 0 if it would have OOB-written.  If
+ *     bsvmovie.c's predicate amends, this copy must follow.
+ *     === */
+static int key_event_count_in_bounds(unsigned key_event_count,
+      unsigned key_events_cap)
+{
+   if (key_event_count > key_events_cap)
+      return 0;
+   return 1;
+}
+
+static int input_event_count_in_bounds(unsigned input_event_count,
+      unsigned input_events_cap)
+{
+   if (input_event_count > input_events_cap)
+      return 0;
+   return 1;
+}
+/* === end verbatim copy === */
+
+/* Drive a write loop the way the production read path does.
+ * Returns 1 if all writes succeeded, 0 if the bound rejected.
+ * Used to confirm under ASan that out-of-range counts no
+ * longer cause OOB writes when the bound fires.
+ *
+ * Buffer is sized exactly to the cap so any reintroduction of
+ * the unbounded loop is flagged by ASan on the first OOB
+ * index. */
+static int simulate_input_event_read(unsigned count)
+{
+   /* Allocate exactly the production cap (no slack) so ASan
+    * flags the first OOB index. */
+   mock_input_data_t *events = (mock_input_data_t*)
+         malloc(sizeof(mock_input_data_t) * INPUT_EVENTS_CAP);
+   unsigned i;
+   if (!events)
+      return 0;
+
+   if (!input_event_count_in_bounds(count, INPUT_EVENTS_CAP))
+   {
+      free(events);
+      return 0;  /* correctly rejected */
+   }
+
+   for (i = 0; i < count; i++)
+   {
+      events[i].port    = 1;
+      events[i].device  = 2;
+      events[i].idx     = 3;
+      events[i].id      = 0xCAFE;
+      events[i].value   = 0x1234;
+   }
+
+   free(events);
+   return 1;
+}
+
+static int simulate_key_event_read(unsigned count)
+{
+   mock_key_data_t *events = (mock_key_data_t*)
+         malloc(sizeof(mock_key_data_t) * KEY_EVENTS_CAP);
+   unsigned i;
+   if (!events)
+      return 0;
+
+   if (!key_event_count_in_bounds(count, KEY_EVENTS_CAP))
+   {
+      free(events);
+      return 0;
+   }
+
+   for (i = 0; i < count; i++)
+   {
+      events[i].down       = 1;
+      events[i].mod        = 0;
+      events[i].code       = 0x1234;
+      events[i].character  = 'A';
+   }
+
+   free(events);
+   return 1;
+}
+
+/* ---- tests ------------------------------------------------ */
+
+static void test_key_count_legitimate(void)
+{
+   /* All counts up to and including the cap must succeed. */
+   unsigned counts[] = { 0, 1, 64, 127, 128 };
+   size_t i;
+   for (i = 0; i < ARRAY_SIZE(counts); i++)
+   {
+      if (!simulate_key_event_read(counts[i]))
+      {
+         printf("[ERROR] legitimate key_event_count %u rejected\n",
+               counts[i]);
+         failures++;
+         return;
+      }
+   }
+   printf("[SUCCESS] legitimate key_event_counts (0..128) accepted\n");
+}
+
+static void test_key_count_oob_rejected(void)
+{
+   /* Any uint8 value above 128 must reject before any write. */
+   unsigned counts[] = { 129, 200, 254, 255 };
+   size_t i;
+   for (i = 0; i < ARRAY_SIZE(counts); i++)
+   {
+      if (simulate_key_event_read(counts[i]))
+      {
+         printf("[ERROR] OOB key_event_count %u was not rejected\n",
+               counts[i]);
+         failures++;
+         return;
+      }
+   }
+   printf("[SUCCESS] OOB key_event_counts (129..255) rejected without writes\n");
+}
+
+static void test_input_count_legitimate(void)
+{
+   unsigned counts[] = { 0, 1, 256, 511, 512 };
+   size_t i;
+   for (i = 0; i < ARRAY_SIZE(counts); i++)
+   {
+      if (!simulate_input_event_read(counts[i]))
+      {
+         printf("[ERROR] legitimate input_event_count %u rejected\n",
+               counts[i]);
+         failures++;
+         return;
+      }
+   }
+   printf("[SUCCESS] legitimate input_event_counts (0..512) accepted\n");
+}
+
+static void test_input_count_oob_rejected(void)
+{
+   /* The pathological values: just-over-cap and uint16 max. */
+   unsigned counts[] = { 513, 1024, 32768, 65534, 65535 };
+   size_t i;
+   for (i = 0; i < ARRAY_SIZE(counts); i++)
+   {
+      if (simulate_input_event_read(counts[i]))
+      {
+         printf("[ERROR] OOB input_event_count %u was not rejected\n",
+               counts[i]);
+         failures++;
+         return;
+      }
+   }
+   printf("[SUCCESS] OOB input_event_counts (513..65535) rejected without writes\n");
+}
+
+int main(void)
+{
+   test_key_count_legitimate();
+   test_key_count_oob_rejected();
+   test_input_count_legitimate();
+   test_input_count_oob_rejected();
+
+   if (failures)
+   {
+      printf("\n%d bsv_replay_bounds test(s) failed\n", failures);
+      return 1;
+   }
+   printf("\nAll bsv_replay_bounds regression tests passed.\n");
+   return 0;
+}
