network/cloud_sync + netplay: fix NULL-deref, OOM crashes, and realloc-to-self leak

Four bugs found in a sweep of network/ alloc sites.

=== network/cloud_sync/s3.c: s3_url_encode / s3_trim_string ===

Both helpers had the same dead-code NULL guard:

    static char* s3_url_encode(const char *input)
    {
       size_t input_len = strlen(input);    /* segfaults on NULL */
       size_t output_pos = 0;

       char *output = malloc(input_len * 3 + 1);

       size_t i;

       if (!output)
          return NULL;

       if (!input)                          /* dead code */
          return NULL;
       ...

The 'if (!input)' check sat after both strlen(input) and the
malloc sized by strlen's result, so a NULL input crashed in
strlen before we ever reached the guard.  s3_trim_string at
line 443 had the identical pattern.

Fix: move the NULL-check to run FIRST, then strlen, then malloc
(also NULL-checked).  Dropped the dead post-strlen guard.

These callers feed arbitrary header values / URL path components
through these helpers; a malformed S3 response or a malformed
user-supplied bucket/path was one NULL away from crashing the
cloud-sync subsystem.

=== network/cloud_sync/s3.c: s3_build_auth_header ===

Straight OOM NULL-deref:

    auth_header = malloc(1024);
    snprintf(auth_header, 1024, ...);     /* NULL-deref on OOM */

Also leaked 'signature' (heap-allocated just above by
s3_calculate_signature_v4_with_time) on the crash path - the
free at the bottom of the function was unreachable.

Fix: NULL-check the malloc, free signature + return NULL on OOM.

=== network/cloud_sync/google_drive.c: gdrive_do_patch ===

    filestream_seek(cb_st->rfile, 0, SEEK_SET);
    len = filestream_get_size(cb_st->rfile);
    buf = malloc((size_t)(len + 1));            /* unchecked */
    filestream_read(cb_st->rfile, buf, len);    /* NULL-deref */
    ...
    task_push_http_transfer_with_content(url, "PATCH",
          buf, (size_t)len, ...);                /* sends NULL */

Two issues folded together:
  - malloc not NULL-checked.
  - filestream_get_size returns int64_t; on file-not-readable /
    error it returns negative.  (size_t)(-1 + 1) == 0, so
    malloc(0) is either NULL or a valid zero-sized pointer
    depending on libc, and the subsequent filestream_read with
    a negative size_t-cast len is undefined at best.

Fix: bail early on len <= 0 (the patch is a PUT of the file's
contents, empty or error both mean nothing to upload), then
NULL-check the malloc.  Function is void-returning, so on OOM
just silently skip this upload and let the next sync poll
retry.

=== network/netplay/netplay_frontend.c: state-buffer growth ===

When a peer sends a state_size larger than ours, all buffer
entries are grown to match:

    netplay->state_size = state_size;
    for (i = 0; i < netplay->buffer_size; i++)
    {
       netplay->buffer[i].state = realloc(netplay->buffer[i].state, netplay->state_size);
       if (!netplay->buffer[i].state)
          return false;
    }

Classic realloc-assign-self leak: on OOM realloc returns NULL
but leaves the prior buffer[i].state allocation intact; the
self-assign overwrites the only pointer to it and leaks the
whole ring entry.

Fix: realloc into a temp, NULL-check, commit to the ivar only on
success.  Still return false on OOM; the caller disconnects the
netplay connection on false return, so the partially-grown
buffer (entries 0..i-1 at new size, i..end at old size) is
about to be torn down anyway and the inconsistency is transient.

=== Thread-safety ===

Unchanged.  s3 and google_drive cloud-sync helpers run on the
task-queue worker thread; netplay state handling runs on the
netplay thread.  No new locks or ordering requirements
introduced.

=== Reachability ===

Cloud-sync helpers fire on every background sync poll
(configurable, default ~5-minute interval).  s3_url_encode and
s3_trim_string are called on every request path / header field.
The netplay realloc is hit when a peer with a different-version
core joins and the two sides disagree on save-state size.  All
four are reachable in realistic runtime conditions.

Author: LibretroAdmin

network/cloud_sync/google_drive.c

@@ -1342,7 +1342,19 @@ static void gdrive_do_patch(gdrive_cb_state_t *cb_st)
 
    filestream_seek(cb_st->rfile, 0, SEEK_SET);
    len = filestream_get_size(cb_st->rfile);
-   buf = malloc((size_t)(len + 1));
+   /* filestream_get_size returns negative on error; malloc of
+    * (size_t)(len + 1) would wrap or be zero, and the subsequent
+    * filestream_read(rfile, buf, len) would pass a negative size
+    * down.  Bail early on either error or empty file. */
+   if (len <= 0)
+      return;
+   /* NULL-check the malloc before filestream_read / the HTTP
+    * transfer below dereference 'buf'.  On OOM there's no
+    * recoverable action for a PATCH upload of the save/state
+    * file - silently skip this call and let the sync retry on
+    * the next poll. */
+   if (!(buf = malloc((size_t)(len + 1))))
+      return;
    filestream_read(cb_st->rfile, buf, len);
 
    snprintf(url, sizeof(url),

network/cloud_sync/s3.c

@@ -397,20 +397,24 @@ static char* s3_sha256_hash(const char *data, size_t len)
 /* URL encode a string according to RFC 3986 */
 static char* s3_url_encode(const char *input)
 {
-   size_t input_len = strlen(input);
+   size_t input_len;
    size_t output_pos = 0;
-
-   /* Worst case: every char needs encoding */
-   char *output = malloc(input_len * 3 + 1); 
-   
+   char *output;
    size_t i;
-   
-   if (!output)
-      return NULL;
-   
+
+   /* NULL-check input BEFORE calling strlen.  The previous form
+    * ran strlen(input) first (line-order: strlen, malloc, then
+    * 'if (!input)'), so the 'if (!input)' check was dead code -
+    * a NULL input segfaulted in strlen before we ever reached
+    * the guard. */
    if (!input)
       return NULL;
 
+   input_len = strlen(input);
+
+   /* Worst case: every char needs encoding */
+   if (!(output = malloc(input_len * 3 + 1)))
+      return NULL;
 
    for (i = 0; i < input_len; i++)
    {
@@ -440,15 +444,22 @@ static char* s3_url_encode(const char *input)
 /* Trim whitespace from string */
 static char* s3_trim_string(const char *input)
 {
-   size_t len = strlen(input);
+   size_t len;
    size_t start = 0;
-   size_t end = len;
+   size_t end;
    size_t trimmed_len = 0;
    char *trimmed = NULL;
 
+   /* NULL-check input BEFORE calling strlen.  Same dead-code bug
+    * as s3_url_encode: the 'if (!input)' check sat after the
+    * strlen call, so NULL input segfaulted before the guard
+    * could fire. */
    if (!input)
       return NULL;
 
+   len = strlen(input);
+   end = len;
+
    /* Find start of non-whitespace */
    while (start < len && (input[start] == ' ' || input[start] == '\t'))
       start++;
@@ -841,7 +852,15 @@ static char* s3_build_auth_header(const char *method, const char *canonical_uri,
             s3_st->access_key_id, date, s3_st->region, S3_SERVICE);
 
    /* Build authorization header */
-   auth_header = malloc(1024);
+   /* NULL-check the malloc: snprintf-into-NULL segfaults.  Also
+    * free 'signature' on the OOM path - the success path at line
+    * below already free's it, but the pre-patch code would have
+    * crashed before reaching that free. */
+   if (!(auth_header = malloc(1024)))
+   {
+      free(signature);
+      return NULL;
+   }
    snprintf(auth_header, 1024,
             "Authorization: %s Credential=%s, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=%s\r\n"
             "x-amz-date: %s\r\n"

network/netplay/netplay_frontend.c

@@ -6104,9 +6104,19 @@ static bool netplay_get_cmd(netplay_t *netplay,
                netplay->state_size = state_size;
                for (i = 0; i < netplay->buffer_size; i++)
                {
-                  netplay->buffer[i].state = realloc(netplay->buffer[i].state, netplay->state_size);
-                  if (!netplay->buffer[i].state)
+                  /* realloc-to-tmp to avoid the classic realloc-
+                   * assign-self leak: on OOM realloc returns NULL
+                   * but leaves buffer[i].state pointing at the
+                   * old allocation; self-assign overwrites the
+                   * only pointer and leaks it.  Propagate failure
+                   * up - the caller tears down the netplay
+                   * connection on false return, so the partially-
+                   * grown buffer (0..i-1 at new size, i..end still
+                   * at old size) is about to be torn down anyway. */
+                  void *tmp = realloc(netplay->buffer[i].state, netplay->state_size);
+                  if (!tmp)
                      return false;
+                  netplay->buffer[i].state = tmp;
                }
             }