tasks/task_save: NULL-check temp_data malloc in content_undo_load_state

LibretroAdmin · LibretroAdmin · commit 0563af5c329f · 2026-04-24T01:21:17.000+02:00
/* We need to make a temporary copy of the buffer, to allow the swap below */
    temp_data              = malloc(undo_load_buf.size);
    temp_data_size         = undo_load_buf.size;
    memcpy(temp_data, undo_load_buf.data, undo_load_buf.size);

Unchecked malloc; the memcpy on the next line NULL-derefs on
OOM.  This is the undo-load-state path triggered from the menu
('Undo Load State' action) - takes the previous savestate that
content_load_state overwrote and swaps it back in.

Fix: NULL-check temp_data.  On OOM tear down the 'blocks' SRAM-
backup array that was built earlier in this same function (lines
190-212 pre-patch - it mirrors current SRAM into a scratch buffer
across the deserialize).  Mirrors the normal-return cleanup path
at the bottom of the function.

Not using goto-cleanup because the existing function structure
doesn't have a single exit point and retrofitting one would
churn unrelated code.  The inline cleanup at the OOM exit
reproduces the same two-loop teardown verbatim.

=== Not a bug ===

The pre-existing 'blocks[i].data = malloc(blocks[i].size)' at
line 212 and the matching one in content_load_state at line
1087 are both unchecked, but they don't crash: every downstream
use of blocks[i].data is gated on 'if (blocks[i].data)' (lines
217 and 1092 in the respective functions).  On OOM the
corresponding SRAM block just isn't backed up / restored, which
is a graceful degrade.

=== Thread-safety ===

content_undo_load_state runs on the main/runloop thread.  No
shared-state mutations; no lock discipline changes.

=== Reachability ===

User-triggered via menu 'Undo Load State' or the configured
hotkey.  undo_load_buf.size is the size of the previous save-
state, typically tens of KB to a few MB depending on core.
Realistic OOM site on memory-tight embedded/handheld targets.
diff --git a/tasks/task_save.c b/tasks/task_save.c
@@ -230,6 +230,22 @@ bool content_undo_load_state(void)
 
    /* We need to make a temporary copy of the buffer, to allow the swap below */
    temp_data              = malloc(undo_load_buf.size);
+   /* NULL-check the malloc before the memcpy on the next line
+    * NULL-derefs.  On OOM we also need to tear down the 'blocks'
+    * array built above to match the normal-return cleanup path
+    * at the end of this function.  Not using goto-cleanup because
+    * the existing function structure doesn't have a single exit
+    * point and retrofitting one would churn unrelated code. */
+   if (!temp_data)
+   {
+      for (i = 0; i < num_blocks; i++)
+      {
+         free(blocks[i].data);
+         blocks[i].data = NULL;
+      }
+      free(blocks);
+      return false;
+   }
    temp_data_size         = undo_load_buf.size;
    memcpy(temp_data, undo_load_buf.data, undo_load_buf.size);
 
