Commit 22be8c8
committed
libretro-common/nbio_linux: fix realloc-to-self leak on OOM in nbio_linux_resize
nbio_linux_resize committed the new length before realloc could be
validated:
handle->ptr = realloc(handle->ptr, len);
handle->len = len;
If realloc() returns NULL, handle->ptr is overwritten with NULL
and the original buffer is leaked. handle->len is then updated to
the new (larger) size, so the handle reports that it owns 'len'
bytes of data that actually live at a NULL pointer. Every
subsequent nbio_linux_get_ptr / read / write call that iterates
up to handle->len walks off NULL.
The sibling nbio_stdio_resize (libretro-common/file/nbio/nbio_stdio.c
line 261) already uses the correct tmp-pointer-then-commit pattern
and explicitly calls out the same pre-patch bug in a code comment.
The linux variant was the lone holdout.
Fix: realloc into a new_ptr local, only commit on success. On OOM
return early without updating handle->ptr or handle->len, leaving
the handle in its pre-resize state. Callers that currently crash
on NULL-deref now see the old len and the old pointer - which is
the same 'no-op on OOM' behaviour that nbio_stdio_resize already
promises.
Thread-safety: unchanged. nbio handles are owned by whichever
thread is servicing them (typically a task queue thread); no
shared state touched.1 parent 04252ec commit 22be8c8
1 file changed
Lines changed: 16 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
153 | 153 | | |
154 | 154 | | |
155 | 155 | | |
| 156 | + | |
156 | 157 | | |
157 | 158 | | |
158 | 159 | | |
| |||
166 | 167 | | |
167 | 168 | | |
168 | 169 | | |
169 | | - | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
170 | 185 | | |
171 | 186 | | |
172 | 187 | | |
| |||
0 commit comments