libretro-common/vfs_cdrom: fix four bugs + regression test

LibretroAdmin · LibretroAdmin · commit 18e15ad8dad9 · 2026-04-19T20:55:26.000+02:00
Four real bugs in vfs_implementation_cdrom.c found during the follow-up audit after the main vfs_implementation.c fixes. Same bug class as the main vfs mmap read overflow already fixed. vfs_cdrom: cuesheet read byte_pos wrap OOB In retro_vfs_file_read_cdrom cuesheet branch: if ((int64_t)len >= (int64_t)stream->cdrom.cue_len - stream->cdrom.byte_pos) len = stream->cdrom.cue_len - stream->cdrom.byte_pos - 1; memcpy(s, stream->cdrom.cue_buf + stream->cdrom.byte_pos, len); cue_len is size_t, byte_pos is int64_t. When byte_pos equals or exceeds cue_len (reachable via seek, which does NOT clamp byte_pos), the subtraction "cue_len - byte_pos - 1" executes as unsigned size_t and wraps to SIZE_MAX. The memcpy then reads SIZE_MAX bytes off the end of cue_buf. Similarly a negative byte_pos (reachable by SEEK_CUR with a negative offset when byte_pos was near zero) becomes a huge size_t after the cast and wraps the same subtraction. Reproduced under ASan: "negative-size-param: (size=-1)" in memcpy at vfs_implementation_cdrom.c:401 Fix: guard byte_pos against being outside [0, cue_len) and clamp len against the remaining bytes using unsigned subtraction against "remaining = cue_len - byte_pos". vfs_cdrom: bin read byte_pos+len wrap OOB Same bug class in the .bin branch: if (stream->cdrom.byte_pos + len > vfs_cdrom_toc.track[stream->cdrom.cur_track - 1].track_bytes) len -= (stream->cdrom.byte_pos + len) - vfs_cdrom_toc.track[stream->cdrom.cur_track - 1].track_bytes; Attacker-controlled len near UINT64_MAX wraps "byte_pos + len" past track_bytes, bypassing the bound check; the downstream cdrom_read() is then called with the unclamped len. Fix: clamp against "remaining = track_bytes - byte_pos" with unsigned subtraction, never adding byte_pos and len. vfs_cdrom: cur_track == 0 indexes track[-1] If a user-controlled VFS path is crafted as "drive1-track00.bin" (or the Windows-style "d:/drive-track00.bin"), the two-digit parser produces cur_track = 0. The read code then does "track[cur_track - 1]" = track[-1], an out-of-bounds read into the struct preceding vfs_cdrom_toc.track[]. Fix: the parser rejects values outside [1, 99] and leaves the default cur_track = 1 in place on reject. The read paths also defensively reject cur_track == 0 before indexing, so a malicious caller that sets cur_track through another vector still cannot trip the OOB. vfs_cdrom: guard cur_track > 99 in bin read TOC array is track[99] (indices 0..98). cur_track is unsigned char so mathematically can reach 255. Defensive check rejects values above 99 before indexing. Reachability: all four bugs are reachable by a core or frontend that has VFS access to a CD-ROM-scheme stream (cdrom://...). Bugs 1 and 2 escalate a weak seek primitive (byte_pos not clamped) into arbitrary OOB reads. VC6 compatibility: the whole file is gated by HAVE_CDROM, which only the Linux and Win32 (non-Xbox) branches set. VC6 is a Win32 target, so its branch compiles. The fix uses only size_t, uint64_t, and standard comparisons -- all VC6-compatible via the existing stdint shim. Regression test: libretro-common/samples/file/vfs_cdrom/ True discriminator for bug #1. Five subtests covering byte_pos==cue_len, byte_pos>cue_len, byte_pos<0, huge len, and a baseline success. On unpatched code: SEGV on byte_pos==cue_len (plain run) ASan: "negative-size-param: (size=-1)" in memcpy On patched code: all five subtests pass cleanly; ASan clean; exit 0 Bug #2 (bin read) and bugs #3/#4 (cur_track parsing) don't get a targeted regression test. Bug #2 would require linking a full cdrom_toc setup which is platform-dependent; bugs #3/#4 are guarded by the parser fix so the failing input cannot reach the OOB path, and writing a white-box test of the parser is low value once the upstream fix is in. CI: libretro-common samples workflow updated. Full dry-run under the GHA shell contract: Built: 14 Ran: 13 Failed: 0
diff --git a/.github/workflows/Linux-libretro-common-samples.yml b/.github/workflows/Linux-libretro-common-samples.yml
@@ -53,6 +53,7 @@ jobs:
             rzip_chunk_size_test
             net_ifinfo
             vfs_read_overflow_test
+            cdrom_cuesheet_overflow_test
           )
 
           # Per-binary run command (overrides ./<binary> if present).
diff --git a/libretro-common/samples/file/vfs_cdrom/Makefile b/libretro-common/samples/file/vfs_cdrom/Makefile
@@ -0,0 +1,48 @@
+TARGET := cdrom_cuesheet_overflow_test
+
+LIBRETRO_COMM_DIR := ../../..
+
+# vfs_implementation_cdrom.c pulls in cdrom.c transitively for its
+# helper functions (cdrom_read, cdrom_write_cue, etc.).  We only
+# exercise the cuesheet read path, but the source file must link
+# against the full cdrom helper library plus file_path for
+# path_get_extension.
+SOURCES := \
+	cdrom_cuesheet_overflow_test.c \
+	$(LIBRETRO_COMM_DIR)/compat/fopen_utf8.c \
+	$(LIBRETRO_COMM_DIR)/compat/compat_strl.c \
+	$(LIBRETRO_COMM_DIR)/encodings/encoding_utf.c \
+	$(LIBRETRO_COMM_DIR)/file/file_path.c \
+	$(LIBRETRO_COMM_DIR)/file/file_path_io.c \
+	$(LIBRETRO_COMM_DIR)/streams/file_stream.c \
+	$(LIBRETRO_COMM_DIR)/time/rtime.c \
+	$(LIBRETRO_COMM_DIR)/cdrom/cdrom.c \
+	$(LIBRETRO_COMM_DIR)/lists/string_list.c \
+	$(LIBRETRO_COMM_DIR)/lists/dir_list.c \
+	$(LIBRETRO_COMM_DIR)/compat/compat_strcasestr.c \
+	$(LIBRETRO_COMM_DIR)/compat/compat_posix_string.c \
+	$(LIBRETRO_COMM_DIR)/memmap/memalign.c \
+	$(LIBRETRO_COMM_DIR)/compat/compat_fnmatch.c \
+	$(LIBRETRO_COMM_DIR)/file/retro_dirent.c \
+	$(LIBRETRO_COMM_DIR)/string/stdstring.c \
+	$(LIBRETRO_COMM_DIR)/vfs/vfs_implementation.c \
+	$(LIBRETRO_COMM_DIR)/vfs/vfs_implementation_cdrom.c
+
+OBJS := $(SOURCES:.c=.o)
+
+CFLAGS += -Wall -pedantic -std=gnu99 -g -DHAVE_CDROM -I$(LIBRETRO_COMM_DIR)/include
+
+LDLIBS += -lm
+
+all: $(TARGET)
+
+%.o: %.c
+	$(CC) -c -o $@ $< $(CFLAGS)
+
+$(TARGET): $(OBJS)
+	$(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS)
+
+clean:
+	rm -f $(TARGET) $(OBJS)
+
+.PHONY: clean
diff --git a/libretro-common/samples/file/vfs_cdrom/cdrom_cuesheet_overflow_test.c b/libretro-common/samples/file/vfs_cdrom/cdrom_cuesheet_overflow_test.c
@@ -0,0 +1,171 @@
+/* Regression test for retro_vfs_file_read_cdrom cuesheet byte_pos
+ * wrap (libretro-common/vfs/vfs_implementation_cdrom.c).
+ *
+ * Pre-patch, the cuesheet read path contained:
+ *
+ *   if ((int64_t)len >= (int64_t)stream->cdrom.cue_len
+ *         - stream->cdrom.byte_pos)
+ *       len = stream->cdrom.cue_len - stream->cdrom.byte_pos - 1;
+ *   memcpy(s, stream->cdrom.cue_buf + stream->cdrom.byte_pos, len);
+ *
+ * cue_len is size_t, byte_pos is int64_t.  The subtraction
+ * "cue_len - byte_pos - 1" is performed as unsigned (size_t).  If
+ * byte_pos >= cue_len, the subtraction wraps to a huge size_t and
+ * memcpy reads off the end of cue_buf.  byte_pos can be set to any
+ * value by seek, which does not clamp.
+ *
+ * Post-patch, the read clamps against the remaining bytes with
+ * unsigned subtraction *after* checking that byte_pos is in range,
+ * and returns 0 (EOF) if byte_pos is out of range.
+ *
+ * Post-patch also returns 0 when the computed clamp would be
+ * negative, rather than wrapping to SIZE_MAX.
+ *
+ * The test directly constructs a libretro_vfs_implementation_file
+ * with a small cue_buf, sets byte_pos to a value >= cue_len, and
+ * calls the read function.  Under ASan the pre-patch behaviour
+ * fires heap-buffer-overflow; post-patch returns 0 cleanly.
+ *
+ * Note: this is a Linux-only test because HAVE_CDROM is the only
+ * configuration that compiles the cuesheet code path.  The same
+ * bug exists in the Windows branch of the same file but would
+ * require Win32 headers to exercise directly.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <vfs/vfs.h>
+
+/* Forward-declare the function we're testing.  The real declaration
+ * lives in vfs_implementation_cdrom.h which requires various
+ * platform headers we don't want to drag in for a unit test. */
+int64_t retro_vfs_file_read_cdrom(libretro_vfs_implementation_file *stream,
+      void *s, uint64_t len);
+
+static int failures = 0;
+
+static void test_cuesheet_byte_pos_wrap(void)
+{
+   libretro_vfs_implementation_file stream;
+   char out[64];
+   int64_t rc;
+   const char *fake_cue = "FILE \"track01.bin\" BINARY\nTRACK 01 MODE1/2048\n";
+   size_t cue_size      = strlen(fake_cue) + 1;  /* incl NUL */
+
+   memset(&stream, 0, sizeof(stream));
+
+   stream.cdrom.cue_buf = strdup(fake_cue);
+   if (!stream.cdrom.cue_buf)
+   {
+      printf("[ERROR] strdup failed\n");
+      failures++;
+      return;
+   }
+   stream.cdrom.cue_len = cue_size;
+
+   /* orig_path must end in ".cue" for the read function to dispatch
+    * into the cuesheet path.  The function calls path_get_extension
+    * on it. */
+   stream.orig_path = strdup("test.cue");
+   if (!stream.orig_path)
+   {
+      free(stream.cdrom.cue_buf);
+      printf("[ERROR] strdup failed (orig_path)\n");
+      failures++;
+      return;
+   }
+
+   /* Baseline: read at byte_pos=0 with small len should succeed. */
+   stream.cdrom.byte_pos = 0;
+   rc = retro_vfs_file_read_cdrom(&stream, out, 10);
+   if (rc < 0 || rc > 10)
+   {
+      printf("[ERROR] baseline read: rc=%lld, want 0..10\n",
+            (long long)rc);
+      failures++;
+   }
+   else
+      printf("[SUCCESS] baseline cuesheet read rc=%lld\n", (long long)rc);
+
+   /* Attack 1: byte_pos at cue_len.  Pre-patch:
+    *   cue_len - byte_pos - 1 = 0 - 1 = SIZE_MAX (size_t wrap)
+    *   len = SIZE_MAX, memcpy reads gigabytes -> OOB.
+    * Post-patch: byte_pos >= cue_len, return 0. */
+   stream.cdrom.byte_pos = (int64_t)cue_size;
+   rc = retro_vfs_file_read_cdrom(&stream, out, 10);
+   if (rc != 0)
+   {
+      printf("[ERROR] byte_pos==cue_len: rc=%lld, want 0\n",
+            (long long)rc);
+      failures++;
+   }
+   else
+      printf("[SUCCESS] byte_pos==cue_len returned 0\n");
+
+   /* Attack 2: byte_pos past cue_len.  Pre-patch: same size_t wrap. */
+   stream.cdrom.byte_pos = (int64_t)cue_size + 100;
+   rc = retro_vfs_file_read_cdrom(&stream, out, 10);
+   if (rc != 0)
+   {
+      printf("[ERROR] byte_pos > cue_len: rc=%lld, want 0\n",
+            (long long)rc);
+      failures++;
+   }
+   else
+      printf("[SUCCESS] byte_pos > cue_len returned 0\n");
+
+   /* Attack 3: negative byte_pos.  Pre-patch: cast to size_t gives
+    * SIZE_MAX-ish, then cue_len - huge wraps around into a small
+    * positive value, then memcpy reads gigabytes off cue_buf.
+    * Post-patch: byte_pos < 0, return 0. */
+   stream.cdrom.byte_pos = -1;
+   rc = retro_vfs_file_read_cdrom(&stream, out, 10);
+   if (rc != 0)
+   {
+      printf("[ERROR] byte_pos < 0: rc=%lld, want 0\n", (long long)rc);
+      failures++;
+   }
+   else
+      printf("[SUCCESS] byte_pos < 0 returned 0\n");
+
+   /* Attack 4: huge len at legitimate byte_pos.  Pre-patch: the
+    * (int64_t)len cast makes large len negative and the bound
+    * check behaves unpredictably.  With len = UINT64_MAX the cast
+    * is -1, and the check is "-1 >= cue_len - byte_pos" which for
+    * small cue_len-byte_pos is false -- so the clamp is SKIPPED
+    * and the full UINT64_MAX reaches memcpy.  OOB.
+    * Post-patch: clamp is unsigned, len is compared to unsigned
+    * remaining, clamp always fires correctly. */
+   stream.cdrom.byte_pos = 5;
+   rc = retro_vfs_file_read_cdrom(&stream, out, (uint64_t)-1);
+   {
+      int64_t max_expected = (int64_t)cue_size - 5 - 1;
+      if (rc < 0 || rc > max_expected)
+      {
+         printf("[ERROR] huge len: rc=%lld, want 0..%lld\n",
+               (long long)rc, (long long)max_expected);
+         failures++;
+      }
+      else
+         printf("[SUCCESS] huge len clamped to rc=%lld\n", (long long)rc);
+   }
+
+   free(stream.cdrom.cue_buf);
+   free(stream.orig_path);
+}
+
+int main(void)
+{
+   test_cuesheet_byte_pos_wrap();
+
+   if (failures)
+   {
+      printf("\n%d cdrom test(s) failed\n", failures);
+      return 1;
+   }
+   printf("\nAll cdrom regression tests passed.\n");
+   return 0;
+}
diff --git a/libretro-common/vfs/vfs_implementation_cdrom.c b/libretro-common/vfs/vfs_implementation_cdrom.c
@@ -171,7 +171,13 @@ void retro_vfs_file_open_cdrom(
             if (     path[12] >= '0' && path[12] <= '9'
                   && path[13] >= '0' && path[13] <= '9')
             {
-               stream->cdrom.cur_track = (path[12] - '0') * 10 + (path[13] - '0');
+               unsigned parsed = (path[12] - '0') * 10 + (path[13] - '0');
+               /* Reject track 00 -- track numbers are 1-based, and
+                * cur_track == 0 would later index track[-1] in the
+                * TOC array (OOB read).  Leave the init value (1)
+                * in place on reject. */
+               if (parsed >= 1 && parsed <= 99)
+                  stream->cdrom.cur_track = parsed;
 #ifdef CDROM_DEBUG
                printf("[CDROM] Opening track %d\n", stream->cdrom.cur_track);
                fflush(stdout);
@@ -249,7 +255,13 @@ void retro_vfs_file_open_cdrom(
          if (   path[14] >= '0' && path[14] <= '9'
              && path[15] >= '0' && path[15] <= '9')
          {
-            stream->cdrom.cur_track = (path[14] - '0') * 10 + (path[15] - '0');
+            unsigned parsed = (path[14] - '0') * 10 + (path[15] - '0');
+            /* Reject track 00 -- track numbers are 1-based, and
+             * cur_track == 0 would later index track[-1] in the
+             * TOC array (OOB read).  Leave the init value (1) in
+             * place on reject. */
+            if (parsed >= 1 && parsed <= 99)
+               stream->cdrom.cur_track = parsed;
 #ifdef CDROM_DEBUG
             printf("[CDROM] Opening track %d\n", stream->cdrom.cur_track);
             fflush(stdout);
@@ -396,20 +408,37 @@ int64_t retro_vfs_file_read_cdrom(libretro_vfs_implementation_file *stream,
          && (ext[2] == 'e' || ext[2] == 'E')
          &&  ext[3] == '\0')
    {
-      if ((int64_t)len >= (int64_t)stream->cdrom.cue_len 
-            - stream->cdrom.byte_pos)
-         len = stream->cdrom.cue_len - stream->cdrom.byte_pos - 1;
+      /* Guard against byte_pos being outside the cue buffer (can
+       * happen after a seek -- seek does not clamp).  Treat as
+       * end-of-file. */
+      if (     stream->cdrom.byte_pos < 0
+            || (size_t)stream->cdrom.byte_pos >= stream->cdrom.cue_len)
+         return 0;
+      /* Clamp len against the remaining bytes using unsigned
+       * subtraction.  Computing (byte_pos + len) and comparing
+       * against cue_len wraps uint64_t when len is attacker-
+       * controlled.  The -1 preserves legacy behaviour of stopping
+       * one byte before cue_len so consumers that rely on the cue
+       * buffer being NUL-terminated don't re-read the terminator. */
+      {
+         size_t remaining = stream->cdrom.cue_len
+                          - (size_t)stream->cdrom.byte_pos;
+         if (remaining > 0)
+            remaining -= 1;
+         if (len > (uint64_t)remaining)
+            len = (uint64_t)remaining;
+      }
 #ifdef CDROM_DEBUG
       printf(
             "[CDROM] Read: Reading %" PRIu64 " bytes from cuesheet starting at %" PRIu64 "...\n",
             len,
             stream->cdrom.byte_pos);
       fflush(stdout);
 #endif
-      memcpy(s, stream->cdrom.cue_buf + stream->cdrom.byte_pos, len);
+      memcpy(s, stream->cdrom.cue_buf + stream->cdrom.byte_pos, (size_t)len);
       stream->cdrom.byte_pos += len;
 
-      return len;
+      return (int64_t)len;
    }
    else if ( (ext[0] == 'b' || ext[0] == 'B')
          &&  (ext[1] == 'i' || ext[1] == 'I')
@@ -424,14 +453,28 @@ int64_t retro_vfs_file_read_cdrom(libretro_vfs_implementation_file *stream,
       unsigned char rframe = 0;
       size_t skip          = stream->cdrom.byte_pos % 2352;
 
-      if (stream->cdrom.byte_pos >= 
-            vfs_cdrom_toc.track[stream->cdrom.cur_track - 1].track_bytes)
+      /* Guard against cur_track == 0 (would index track[-1]) and
+       * against an out-of-range byte_pos.  cur_track can become
+       * 0 via a crafted VFS path like "driveN-track00.bin" unless
+       * the parser rejects it (see retro_vfs_file_open_cdrom). */
+      if (stream->cdrom.cur_track == 0
+            || stream->cdrom.cur_track > 99)
          return 0;
-
-      if (stream->cdrom.byte_pos + len > 
-            vfs_cdrom_toc.track[stream->cdrom.cur_track - 1].track_bytes)
-         len -= (stream->cdrom.byte_pos + len) 
-            - vfs_cdrom_toc.track[stream->cdrom.cur_track - 1].track_bytes;
+      {
+         size_t track_bytes =
+            vfs_cdrom_toc.track[stream->cdrom.cur_track - 1].track_bytes;
+         if (     stream->cdrom.byte_pos < 0
+               || (size_t)stream->cdrom.byte_pos >= track_bytes)
+            return 0;
+         /* Clamp len against remaining bytes using unsigned
+          * subtraction.  Computing (byte_pos + len) first is a
+          * uint64_t wrap hazard when len is attacker-controlled. */
+         {
+            size_t remaining = track_bytes - (size_t)stream->cdrom.byte_pos;
+            if (len > (uint64_t)remaining)
+               len = (uint64_t)remaining;
+         }
+      }
 
       cdrom_lba_to_msf(stream->cdrom.cur_lba, &min, &sec, &frame);
       cdrom_lba_to_msf(stream->cdrom.cur_lba 

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ jobs:`
`53`	`53`	`rzip_chunk_size_test`
`54`	`54`	`net_ifinfo`
`55`	`55`	`vfs_read_overflow_test`
	`56`	`+ cdrom_cuesheet_overflow_test`
`56`	`57`	`)`
`57`	`58`
`58`	`59`	`# Per-binary run command (overrides ./<binary> if present).`