libretro-common/queues: bound fifo_write/read + reject SIZE_MAX init

Audit-pass on libretro-common/queues/fifo_queue.c found three
defensive gaps.  Each is currently latent (audio + gfx widget
callers all gate on FIFO_WRITE_AVAIL / FIFO_READ_AVAIL before
calling fifo_write / fifo_read) but the function trusts @len
unconditionally, so any future caller that forgets the gate
silently corrupts memory rather than dropping the request.

* fifo_write: out-of-bounds write when @len exceeds available
  space (libretro-common/queues/fifo_queue.c).  The wrap-around
  branch computes rest_write = len - first_write and memcpy()s
  rest_write bytes starting at buffer->buffer; for any @len
  exceeding @buffer->size, that second memcpy walks off the end
  of the backing allocation.  Worse, the gating test
  `buffer->end + len > buffer->size` itself wraps in size_t for
  huge @len, mis-routing the call into a single-memcpy branch
  with @len bytes of unbounded write.  Fix by capping @len at
  FIFO_WRITE_AVAIL(buffer) on entry.  No-op for current callers
  (they already cap); turns the latent overrun into a defined
  silent truncation for any future caller that forgets to gate.

* fifo_read: same out-of-bounds shape on the read side --
  rest_read bytes copied past the end of @buffer->buffer when
  @len exceeds the readable range.  Same fix: cap @len at
  FIFO_READ_AVAIL(buffer) on entry.

* fifo_initialize_internal: SIZE_MAX wrap (libretro-common/
  queues/fifo_queue.c).  The function reserves one ring slot
  for the empty/full distinction, so the actual allocation is
  (len + 1) bytes.  Passing SIZE_MAX wraps that addition to 0;
  calloc(1, 0) is allowed to satisfy with a non-NULL pointer
  to a zero-byte allocation, so initialisation can succeed and
  leave buf->size == 0.  The next fifo_write would then divide
  by zero on the `% buffer->size` end-pointer update.  No
  current caller asks for SIZE_MAX, so the rejection is purely
  defensive.

Also documents the new caps in the public header (fifo_write /
fifo_read) so callers know that exceeding available space is a
silent drop, not a silent overrun.

Adds a regression test under libretro-common/samples/queues/
fifo_queue_bounds_test/.  The test exercises:

  - SIZE_MAX initialisation (must be rejected),
  - over-write of 2048 bytes into a 100-byte ring (capped at 100,
    no OOB write),
  - over-read into a 64-byte buffer (capped at FIFO_READ_AVAIL,
    trailing bytes untouched),
  - SIZE_MAX @len passed to fifo_write with end != 0 (the
    integer-overflow case in the original gating test),
  - wrap-around correctness when the cap isn't engaged,
  - zero-length write/read no-ops.

Wired into the existing libretro-common-samples CI workflow with
SANITIZER=address,undefined.  Pre-patch the test fails: the
SIZE_MAX init succeeds (no rejection), and the over-write trips
ASan with a 1947-byte heap-buffer-overflow WRITE.  Post-patch
all seven cases pass under ASan + UBSan + LSan.

Note on residual scope
----------------------
The cap protects @buffer->buffer (the destination ring) but not
@in_buf (the caller-supplied source).  fifo_write reads exactly
@len bytes from @in_buf -- a buggy caller that passes
@len > sizeof(*in_buf) gets a source over-read that we cannot
detect from inside the function (no @in_buf size parameter).
That residual is unchanged by this commit; the surface area for
it is much smaller than the destination overrun (audio drivers
all pass full-size frame buffers).  Any future hardening would
require an API break to add @in_buf_len, which is out of scope.

Author: LibretroAdmin

.github/workflows/Linux-libretro-common-samples.yml

@@ -79,6 +79,7 @@ jobs:
             word_wrap_overflow_test
             task_queue_title_error_test
             tpool_wait_test
+            fifo_queue_bounds_test
           )
 
           # Per-binary run command (overrides ./<binary> if present).

libretro-common/include/queues/fifo_queue.h

@@ -126,6 +126,12 @@ static INLINE void fifo_clear(fifo_buffer_t *buffer)
 /**
  * Writes \c size bytes to the given queue.
  *
+ * \c size is silently capped at \c FIFO_WRITE_AVAIL(buffer) --
+ * the call writes at most that many bytes and discards any
+ * excess.  Callers that need to be sure all bytes are queued
+ * must gate on \c FIFO_WRITE_AVAIL beforehand.  Behaviour is
+ * undefined if \c buffer is \c NULL.
+ *
  * @param buffer The FIFO queue to write to.
  * @param in_buf The buffer to read bytes from.
  * @param size The length of \c in_buf, in bytes.
@@ -135,6 +141,12 @@ void fifo_write(fifo_buffer_t *buffer, const void *in_buf, size_t len);
 /**
  * Reads \c size bytes from the given queue.
  *
+ * \c size is silently capped at \c FIFO_READ_AVAIL(buffer) --
+ * the call returns at most that many bytes and leaves the
+ * trailing portion of \c in_buf untouched.  Callers that need
+ * exactly \c size bytes must gate on \c FIFO_READ_AVAIL
+ * beforehand.  Behaviour is undefined if \c buffer is \c NULL.
+ *
  * @param buffer The FIFO queue to read from.
  * @param in_buf The buffer to store the read bytes in.
  * @param size The length of \c in_buf, in bytes.

libretro-common/queues/fifo_queue.c

@@ -31,7 +31,21 @@
 
 static bool fifo_initialize_internal(fifo_buffer_t *buf, size_t len)
 {
-   uint8_t *buffer    = (uint8_t*)calloc(1, len + 1);
+   uint8_t *buffer;
+
+   /* The ring reserves one slot to distinguish empty from full,
+    * so the actual allocation is (len + 1) bytes.  Reject @len
+    * values that would wrap that addition: SIZE_MAX would
+    * compute (size_t)0, which calloc(1, 0) is allowed to satisfy
+    * with a non-NULL pointer to a zero-byte allocation.  Letting
+    * that succeed would leave buf->size == 0 and the next
+    * fifo_write would divide by zero at the `% buffer->size`
+    * step.  No current caller asks for SIZE_MAX, so the rejection
+    * is purely defensive. */
+   if (len >= SIZE_MAX)
+      return false;
+
+   buffer = (uint8_t*)calloc(1, len + 1);
 
    if (!buffer)
       return false;
@@ -91,8 +105,31 @@ fifo_buffer_t *fifo_new(size_t len)
 
 void fifo_write(fifo_buffer_t *buffer, const void *in_buf, size_t len)
 {
-   size_t first_write = len;
+   size_t first_write;
    size_t rest_write  = 0;
+   size_t avail;
+
+   /* Cap @len at the available space.  Existing callers all
+    * gate on FIFO_WRITE_AVAIL before invoking us, so this is
+    * a no-op for them; for any caller that doesn't, the
+    * unbounded branch below would walk off the end of
+    * @buffer->buffer (the wrap-around copy at line `memcpy(
+    * buffer->buffer, ..., rest_write)` would write up to
+    * len - first_write bytes into a buffer of @buffer->size
+    * total, overrunning by len - size).  Worse, the original
+    * `buffer->end + len > buffer->size` test wraps in size_t
+    * for huge @len and silently misclassifies the request as
+    * "fits in one chunk", taking the corrupting first memcpy
+    * down a path with no wrap-around bound at all.  Capping
+    * here closes both windows. */
+   avail = FIFO_WRITE_AVAIL(buffer);
+   if (len > avail)
+      len = avail;
+
+   if (!len)
+      return;
+
+   first_write = len;
 
    if (buffer->end + len > buffer->size)
    {
@@ -109,8 +146,22 @@ void fifo_write(fifo_buffer_t *buffer, const void *in_buf, size_t len)
 
 void fifo_read(fifo_buffer_t *buffer, void *in_buf, size_t len)
 {
-   size_t first_read = len;
+   size_t first_read;
    size_t rest_read  = 0;
+   size_t avail;
+
+   /* Same rationale as fifo_write: cap @len at what's actually
+    * available to avoid out-of-buffer copies on a caller that
+    * forgot to gate on FIFO_READ_AVAIL.  Existing callers all
+    * gate first; this is defensive. */
+   avail = FIFO_READ_AVAIL(buffer);
+   if (len > avail)
+      len = avail;
+
+   if (!len)
+      return;
+
+   first_read = len;
 
    if (buffer->first + len > buffer->size)
    {

libretro-common/samples/queues/fifo_queue_bounds_test/Makefile

@@ -0,0 +1,29 @@
+TARGET := fifo_queue_bounds_test
+
+LIBRETRO_COMM_DIR := ../../..
+
+SOURCES := \
+	fifo_queue_bounds_test.c \
+	$(LIBRETRO_COMM_DIR)/queues/fifo_queue.c
+
+OBJS := $(SOURCES:.c=.o)
+
+CFLAGS += -Wall -pedantic -std=gnu99 -g -O0 -I$(LIBRETRO_COMM_DIR)/include
+
+ifneq ($(SANITIZER),)
+   CFLAGS  := -fsanitize=$(SANITIZER) -fno-omit-frame-pointer $(CFLAGS)
+   LDFLAGS := -fsanitize=$(SANITIZER) $(LDFLAGS)
+endif
+
+all: $(TARGET)
+
+%.o: %.c
+	$(CC) -c -o $@ $< $(CFLAGS)
+
+$(TARGET): $(OBJS)
+	$(CC) -o $@ $^ $(LDFLAGS)
+
+clean:
+	rm -f $(TARGET) $(OBJS)
+
+.PHONY: clean