libretro-common: clamp word_wrap_wideglyph return to bytes-written + CI

word_wrap_wideglyph violated its implicit contract that the returned
length always fits inside the destination buffer.  Three return paths
forwarded strlcpy()'s return value, which is strlen(src) per spec --
not bytes-actually-written -- so on truncation the function returned
a value larger than the destination it had written into.

The sister function word_wrap() has a `len < src_len + 1` guard up
front that bails to 0 when the buffer is too small, sidestepping
this entirely.  word_wrap_wideglyph has no such guard and tries to
fit what it can, which is correct behaviour, but the inflated return
breaks every caller that uses it as a length argument.

Concrete impact: three menu drivers (xmb, ozone, materialui) feed
this return value as the `n` argument to memchr() over the wrapped
destination buffer when laying out messageboxes
(xmb_render_messagebox_internal at xmb.c line ~1183;
ozone_draw_messagebox at ozone.c line ~7362;
materialui_render_messagebox at materialui.c line ~2825).  Pre-patch,
an inflated `n` walks memchr past the destination into adjacent stack
memory (the lines[] / line_lengths[] arrays the messagebox helpers
keep right next to the wrapped buffer).  A '\n' byte found there
yields a wild pointer used in pointer arithmetic and as a length
argument to font_driver_get_message_width(), causing stack info
disclosure or a crash.

The wideglyph path is selected by msg_hash_get_wideglyph_str(), so
the bug is reachable in CJK locales (Japanese, Korean, Chinese) via
any messagebox payload exceeding MENU_LABEL_MAX_LENGTH (256 bytes
default) -- error notifications, file paths, network handshake
text, search results.

Two issues fixed in stdstring.c:

* Return value: every truncating return path
  (`return strlcpy(...)` and `return (s - s_start) + strlcpy(...)`)
  now clamps strlcpy's return to the actual bytes written:

      copied = strlcpy(s, src, n);
      if (copied >= n) copied = (n > 0) ? n - 1 : 0;
      return [(s - s_start) +] copied;

  This avoids introducing a strnlen() dependency (not used anywhere
  else in libretro-common, portability concerns on old MSVC).

* `len` semantic drift: the loop body decremented `len` by char_len
  on every byte written, while the early-return paths computed
  `remaining = len - (s - s_start)`.  Both expressions track "bytes
  used", so the formula effectively double-subtracted, yielding a
  too-small `remaining` and forcing the strlcpys to truncate harder
  than necessary.  The lastspace/lastwideglyph rewinds at lines ~411
  and ~429 also moved `s` backward without a matching `len` adjustment,
  desyncing the two over time.  Drop the `len -= char_len`, compute
  `remaining = len - (s - s_start)` once at the top of each loop
  iteration (and reuse it for the buffer-overflow guard previously
  spelled `if (char_len >= len)`).  `len` now stays constant across
  the function body, matching word_wrap()'s convention.

Regression test: libretro-common/samples/string/word_wrap_overflow
_test/.  Five cases covering both truncating and non-truncating
inputs across the line-358 early-return path and the main-loop
late-return paths.  The discriminator is two-fold: the test asserts
return-value-vs-bytes-written directly, AND mimics the menu drivers'
call shape by feeding the returned value to memchr() over the
destination, so an ASan build catches pre-patch failures via
heap-buffer-overflow on the memchr.  Verified by running against
both pre-patch and post-patch stdstring.c:

    pre-patch:  short_input_tiny_dest fails
                (returned=47, dst_size=16) -> exit 1
    post-patch: all five cases pass -> exit 0

CI: word_wrap_overflow_test added to RUN_TARGETS in
.github/workflows/Linux-libretro-common-samples.yml.  Builds under
SANITIZER=address,undefined like the other overflow regression
tests in the same workflow (rpng_chunk_overflow_test,
vfs_read_overflow_test, cdrom_cuesheet_overflow_test,
chd_meta_overflow_test, cdfs_dir_record_test, rzip_chunk_size_test).

Note on libretro-common/test/string/test_stdstring.c (the
libcheck-based suite): I considered adding a unit-test entry there
too, but the file is already broken at HEAD on master --
test_string_replacesubstr calls string_replace_substring with the
old 3-arg signature, but the API was extended to 5 args some time
ago; the test fails to compile.  Wiring up Makefile.test in CI
would have caught that regression but is out of scope here.
The samples-based regression test is the working surface and
matches the established pattern for every other overflow test
in the tree.

Author: LibretroAdmin

.github/workflows/Linux-libretro-common-samples.yml

@@ -76,6 +76,7 @@ jobs:
             rbmp_test
             rpng_chunk_overflow_test
             rpng_roundtrip_test
+            word_wrap_overflow_test
           )
 
           # Per-binary run command (overrides ./<binary> if present).

libretro-common/samples/string/word_wrap_overflow_test/Makefile

@@ -0,0 +1,35 @@
+TARGET := word_wrap_overflow_test
+
+LIBRETRO_COMM_DIR := ../../..
+
+# word_wrap_wideglyph lives in libretro-common/string/stdstring.c.
+# Its only non-libc dependency is utf8skip from encoding_utf.c
+# (used to walk UTF-8 codepoint boundaries in the input string).
+SOURCES := \
+	word_wrap_overflow_test.c \
+	$(LIBRETRO_COMM_DIR)/string/stdstring.c \
+	$(LIBRETRO_COMM_DIR)/encodings/encoding_utf.c \
+	$(LIBRETRO_COMM_DIR)/compat/compat_strl.c \
+	$(LIBRETRO_COMM_DIR)/compat/compat_posix_string.c
+
+OBJS := $(SOURCES:.c=.o)
+
+CFLAGS += -Wall -pedantic -std=gnu99 -g -O0 -I$(LIBRETRO_COMM_DIR)/include
+
+ifneq ($(SANITIZER),)
+   CFLAGS  := -fsanitize=$(SANITIZER) -fno-omit-frame-pointer $(CFLAGS)
+   LDFLAGS := -fsanitize=$(SANITIZER) $(LDFLAGS)
+endif
+
+all: $(TARGET)
+
+%.o: %.c
+	$(CC) -c -o $@ $< $(CFLAGS)
+
+$(TARGET): $(OBJS)
+	$(CC) -o $@ $^ $(LDFLAGS)
+
+clean:
+	rm -f $(TARGET) $(OBJS)
+
+.PHONY: clean

libretro-common/samples/string/word_wrap_overflow_test/word_wrap_overflow_test.c

@@ -0,0 +1,271 @@
+/* Regression test for return-value-exceeds-bytes-written in
+ * word_wrap_wideglyph (libretro-common/string/stdstring.c).
+ *
+ * Pre-patch, word_wrap_wideglyph had three classes of return path
+ * that propagated strlcpy()'s return value directly, e.g.:
+ *
+ *   if (src_end - src < line_width)
+ *      return strlcpy(s, src, len);
+ *
+ *   ...
+ *
+ *   return (size_t)(s - s_start) + strlcpy(s, src, remaining);
+ *
+ * strlcpy() returns strlen(src), not bytes-actually-written, so on
+ * truncation (destination smaller than source) the returned value
+ * exceeds the number of bytes written into the destination buffer.
+ *
+ * The sister function word_wrap() has a `len < src_len + 1` guard
+ * up front that bails to 0 when the buffer is too small, sidestepping
+ * the issue.  word_wrap_wideglyph has no such guard and tries to fit
+ * what it can -- which is correct behaviour, but the inflated return
+ * value violates the implicit contract every caller in the tree
+ * depends on.
+ *
+ * Concrete impact: three menu drivers (xmb, ozone, materialui) feed
+ * this return value as the `n` argument to memchr() over the wrapped
+ * destination buffer, looking for newline boundaries when laying out
+ * messageboxes.  Pre-patch, an inflated `n` walks memchr past the
+ * buffer end into adjacent stack memory.  A '\n' (0x0A) byte found
+ * there yields a wild pointer used in pointer arithmetic and as a
+ * length argument to font_driver_get_message_width(), leading to
+ * stack info disclosure or a crash.  Reachable in CJK locales
+ * (which select word_wrap_wideglyph via msg_hash_get_wideglyph_str)
+ * via any messagebox payload that exceeds MENU_LABEL_MAX_LENGTH
+ * (default 256 bytes) -- error notifications, file paths, network
+ * handshake text, search results.
+ *
+ * Post-patch, every return path computes bytes-actually-written
+ * from strlcpy's contract:
+ *
+ *   copied = strlcpy(s, src, n);
+ *   if (copied >= n) copied = (n > 0) ? n - 1 : 0;
+ *   return ... + copied;
+ *
+ * so the returned value is always a valid offset into the
+ * destination buffer.  This test asserts that invariant directly
+ * and additionally exercises the call shape used by the menu
+ * drivers (memchr over the destination using the returned length),
+ * so ASan flags pre-patch builds with heap-buffer-overflow.
+ *
+ * The test uses heap allocation (not a stack buffer) so ASan's
+ * red-zone instrumentation gives a sharp signal when the bug is
+ * present.  Without ASan, the test still detects the bug on its
+ * own via the return-value-exceeds-buffer-size assertion.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <string/stdstring.h>
+
+static int failures = 0;
+
+/* A long ASCII source with no embedded newlines or wide glyphs.
+ * "ASCII through wideglyph" is the worst-case for this function:
+ * line 358's early-return branch fires only when the entire input
+ * is shorter than line_width, so we must use input >= line_width
+ * to drive flow through the main loop and the late-return paths
+ * at lines 384 / 420 / 438.  The rewinds happen at every space.
+ */
+static const char *long_src =
+   "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam "
+   "nec enim quis orci euismod efficitur at nec arcu. Vivamus "
+   "imperdiet est feugiat massa rhoncus porttitor at vitae ante. "
+   "Nunc a orci vel ipsum tempor posuere sed a lacus. Ut erat "
+   "odio, ultrices vitae iaculis fringilla, iaculis ut eros. Sed "
+   "facilisis viverra lectus et ullamcorper. Aenean risus ex, "
+   "ornare eget scelerisque ac, imperdiet eu ipsum. Morbi "
+   "pellentesque erat metus, sit amet aliquet libero rutrum et. "
+   "Integer non ullamcorper tellus.";
+
+static void check_return_value(const char *case_name,
+      char *dst, size_t dst_size, size_t returned,
+      const char *src)
+{
+   /* Returned length must NEVER exceed bytes-actually-written.
+    * Bytes written is at most dst_size - 1 (room for the NUL). */
+   if (returned >= dst_size)
+   {
+      printf("[ERROR] %s: word_wrap_wideglyph returned %zu, "
+            "destination buffer is only %zu bytes (cannot exceed "
+            "%zu bytes-written)\n",
+            case_name, returned, dst_size,
+            dst_size > 0 ? dst_size - 1 : 0);
+      failures++;
+      return;
+   }
+
+   /* Returned length must equal strlen of the destination -- this
+    * is the contract menu-driver callers depend on. */
+   {
+      size_t actual = strlen(dst);
+      if (returned != actual)
+      {
+         printf("[ERROR] %s: word_wrap_wideglyph returned %zu but "
+               "strlen(dst) is %zu\n",
+               case_name, returned, actual);
+         failures++;
+         return;
+      }
+   }
+
+   /* Mimic the ozone/xmb/materialui messagebox call shape: use the
+    * returned value as the `n` argument to memchr() over the
+    * destination buffer.  Pre-patch, an inflated returned value
+    * walks memchr past the buffer.  ASan flags this as a heap-
+    * buffer-overflow.  Post-patch, the read stays within dst. */
+   {
+      const char *nl = (const char *)memchr(dst, '\n', returned);
+      (void)nl; /* presence/absence not asserted; the read itself
+                 * is the test (ASan is the discriminator) */
+   }
+
+   /* (void) src to suppress unused-parameter when not in debug. */
+   (void)src;
+
+   printf("[SUCCESS] %s: returned=%zu, strlen(dst)=%zu, dst_size=%zu\n",
+         case_name, returned, strlen(dst), dst_size);
+}
+
+/* Case 1: destination smaller than line_width.
+ * Pre-patch this hits the `src_end - src < line_width` branch?
+ * No -- src_len > line_width, so we reach the main loop.  The
+ * rewinds at lastspace cause early returns at lines 384/420/438
+ * via strlcpy with a too-small `remaining`. */
+static void test_truncating_normal_case(void)
+{
+   const size_t dst_size = 64;
+   char *dst = (char *)malloc(dst_size);
+   size_t returned;
+
+   if (!dst) { printf("[FATAL] OOM\n"); failures++; return; }
+
+   memset(dst, 0xCC, dst_size);   /* poison so strlen catches non-NUL-termination */
+   dst[dst_size - 1] = '\0';      /* ensure strlen() terminates if NUL is missing */
+
+   returned = word_wrap_wideglyph(dst, dst_size, long_src,
+         strlen(long_src),
+         /* line_width */ 40,
+         /* wideglyph_width */ 100,
+         /* max_lines */ 0);
+
+   check_return_value("truncating_normal", dst, dst_size, returned, long_src);
+   free(dst);
+}
+
+/* Case 2: very small destination (smaller than even one line
+ * worth of source).  Pre-patch this still hits the buggy path
+ * because the loop's char_len-vs-len check at line 367 stopped
+ * the loop, leaving s_start..s short, but the late strlcpy
+ * (whichever fired first) still returned a too-large value. */
+static void test_truncating_tiny_dest(void)
+{
+   const size_t dst_size = 16;
+   char *dst = (char *)malloc(dst_size);
+   size_t returned;
+
+   if (!dst) { printf("[FATAL] OOM\n"); failures++; return; }
+
+   memset(dst, 0xCC, dst_size);
+   dst[dst_size - 1] = '\0';
+
+   returned = word_wrap_wideglyph(dst, dst_size, long_src,
+         strlen(long_src), 40, 100, 0);
+
+   check_return_value("truncating_tiny_dest", dst, dst_size,
+         returned, long_src);
+   free(dst);
+}
+
+/* Case 3: destination is exactly large enough for the whole
+ * wrapped output.  Tests that the fix doesn't regress the
+ * non-truncating case -- return value should equal strlen(dst). */
+static void test_fits(void)
+{
+   const size_t dst_size = 1024;
+   char *dst = (char *)malloc(dst_size);
+   size_t returned;
+
+   if (!dst) { printf("[FATAL] OOM\n"); failures++; return; }
+
+   memset(dst, 0xCC, dst_size);
+   dst[dst_size - 1] = '\0';
+
+   returned = word_wrap_wideglyph(dst, dst_size, long_src,
+         strlen(long_src), 40, 100, 0);
+
+   check_return_value("fits", dst, dst_size, returned, long_src);
+   free(dst);
+}
+
+/* Case 4: input shorter than line_width -- exercises the early
+ * return at line 358 (the simplest of the buggy paths).  Pre-
+ * patch, this returns strlen(short_src), which is fine when the
+ * destination is large enough.  This case verifies post-patch
+ * doesn't regress the easy path. */
+static void test_short_input_large_dest(void)
+{
+   const char *short_src = "Hello, world.";
+   const size_t dst_size = 64;
+   char *dst = (char *)malloc(dst_size);
+   size_t returned;
+
+   if (!dst) { printf("[FATAL] OOM\n"); failures++; return; }
+
+   memset(dst, 0xCC, dst_size);
+   dst[dst_size - 1] = '\0';
+
+   returned = word_wrap_wideglyph(dst, dst_size, short_src,
+         strlen(short_src), 40, 100, 0);
+
+   check_return_value("short_input_large_dest", dst, dst_size,
+         returned, short_src);
+   free(dst);
+}
+
+/* Case 5: input shorter than line_width AND destination too small.
+ * This is the line-358 truncation case: pre-patch returns
+ * strlen(src) which exceeds dst_size; post-patch clamps to dst_size-1. */
+static void test_short_input_tiny_dest(void)
+{
+   const char *src = "Hello, world! This is a moderately long string.";
+   const size_t dst_size = 16; /* smaller than src */
+   char *dst = (char *)malloc(dst_size);
+   size_t returned;
+
+   if (!dst) { printf("[FATAL] OOM\n"); failures++; return; }
+
+   memset(dst, 0xCC, dst_size);
+   dst[dst_size - 1] = '\0';
+
+   /* line_width chosen larger than src_len so the function takes
+    * the line-358 early-return path. */
+   returned = word_wrap_wideglyph(dst, dst_size, src,
+         strlen(src),
+         /* line_width */ 100, /* > strlen(src) */
+         100, 0);
+
+   check_return_value("short_input_tiny_dest", dst, dst_size,
+         returned, src);
+   free(dst);
+}
+
+int main(void)
+{
+   test_truncating_normal_case();
+   test_truncating_tiny_dest();
+   test_fits();
+   test_short_input_large_dest();
+   test_short_input_tiny_dest();
+
+   if (failures)
+   {
+      printf("\n%d word_wrap_wideglyph regression test(s) failed\n",
+            failures);
+      return 1;
+   }
+   printf("\nAll word_wrap_wideglyph regression tests passed.\n");
+   return 0;
+}