net/http: fix realloc-assign-self leak on shrink failure in net_http_receive_body

LibretroAdmin · LibretroAdmin · commit 04252ecee9ac · 2026-04-23T21:40:20.000+02:00
The 'response has errored out and is terminal' branch at the top of
net_http_receive_body did a classic realloc-to-self assignment:

    if (response-&gt;buflen != response-&gt;len)
       response-&gt;data   = (char*)realloc(response-&gt;data, response-&gt;len);

If realloc() returns NULL (rare on shrink, not impossible - a
shrink can still fail if the allocator needs to split the region
or move to a smaller size-class and can't), the original buffer
is leaked and response-&gt;data becomes NULL.  If anything downstream
reads response-&gt;data (the caller's tear-down that follows could
try to decode response body, log it, or copy it), that's a second
NULL-deref stacked on the leak.

Every other realloc in this file already uses the tmp-pointer
pattern - lines 1393, 1409, 1489, 1528, 1544, 1559, 1650.  The
sibling at line 1528 does the exact same shrink operation (same
'response-&gt;buflen != response-&gt;len' guard) and correctly keeps
the old buffer on failure:

    char *tmp = (char*)realloc(response-&gt;data, response-&gt;len);
    if (!tmp) { state-&gt;err = true; return false; }
    response-&gt;data = tmp;

Fix: apply the same tmp-pointer pattern to the line 1432 case.
Unlike line 1528 which bails out with an error on shrink fail,
this site is already in the terminal P_DONE state with state-&gt;err
effectively set (we entered the branch because 'newlen &lt; 0 ||
state-&gt;err'), so the correct failure behaviour is to just keep
the oversized-but-valid buffer and let the return-true upstream
mark the state machine done.  The buffer will be free()d by
net_http_delete once the caller tears the transfer down.

Thread-safety: unchanged.  net_http_receive_body runs on the
thread that owns the http_t state, which is the task queue's
processing thread for task-mode usage.
diff --git a/libretro-common/net/net_http.c b/libretro-common/net/net_http.c
@@ -1429,7 +1429,19 @@ static bool net_http_receive_body(struct http_t *state, ssize_t newlen)
          return false;
       response->part      = P_DONE;
       if (response->buflen != response->len)
-         response->data   = (char*)realloc(response->data, response->len);
+      {
+         /* Shrink response->data from buflen bytes to len bytes.
+          * Use a tmp pointer so a realloc() failure (rare on shrink
+          * but not impossible) does not overwrite response->data
+          * with NULL and leak the original buffer.  Sibling shrink
+          * path at ~line 1528 already uses this pattern; this was
+          * the lone holdout.  On failure we keep the oversized-
+          * but-valid buffer - this is a terminal state (P_DONE)
+          * and the caller tears down shortly afterwards. */
+         char *tmp = (char*)realloc(response->data, response->len);
+         if (tmp)
+            response->data = tmp;
+      }
       return true;
    }
 
