gfx/drivers: fix OOM NULL-derefs and munmap(MAP_FAILED) in legacy platform drivers

LibretroAdmin · LibretroAdmin · commit 23da75245ad9 · 2026-04-23T23:38:32.000+02:00
Three related bugs in older embedded gfx backends:

=== gfx/drivers/dispmanx_gfx.c: dispmanx_surface_setup ===

    *sp = calloc(1, sizeof(struct dispmanx_surface));
    surface = *sp;
    surface-&gt;numpages = numpages;      /* NULL-deref on OOM */
    ...
    surface-&gt;pages = calloc(surface-&gt;numpages, sizeof(struct dispmanx_page));
    for (i = 0; i &lt; surface-&gt;numpages; i++)
    {
        surface-&gt;pages[i].used = false; /* NULL-deref on OOM */
        ...
    }

Two unchecked callocs back-to-back, each followed by unconditional
field writes / array indexing.  Function is void-returning, so
callers can't see an error code - they just hand us an output
pointer via 'sp' and trust it gets filled in.  None of the three
current callers (lines 367, 464, 518 - main/menu/back surface
setup) check *sp after the call.

=== gfx/drivers/drm_gfx.c: drm_surface_setup ===

Identical sibling drift to the dispmanx bug above.  The two
routines share the same shape (output-ptr via sp, void return,
outer surface calloc then inner pages calloc) and both were
missing the same NULL checks.

Fix (both files): NULL-check each calloc.  On outer failure just
return; on inner failure free the outer allocation and set
*sp = NULL so callers get a consistent 'setup didn't produce a
surface' signal.  Note: this doesn't fully plug the OOM path -
downstream helpers (dispmanx_surface_update_async,
drm_surface_update, dispmanx_surface_free, drm_surface_free)
do NOT NULL-check 'surface' either, so a caller that ignores
*sp and then calls into those helpers would still crash.
Fixing every call-site pattern is a bigger churn across the
driver than this patch is trying to do; the surface_setup fix
here at least stops setup itself from being the crash site
and gives callers consistent post-condition semantics (*sp is
NULL iff setup failed).

=== gfx/drivers/omap_gfx.c: omapfb_backup_state - munmap(MAP_FAILED) ===

    pdata-&gt;saved_state-&gt;mem = malloc(pdata-&gt;saved_state-&gt;mi.size);
    mem = mmap(NULL, pdata-&gt;saved_state-&gt;mi.size, ...);
    if (!pdata-&gt;saved_state-&gt;mem || mem == MAP_FAILED)
    {
       RARCH_ERR("[Omap] Backup layer (mem backup) failed.\n");
       munmap(mem, pdata-&gt;saved_state-&gt;mi.size);      /* UB on MAP_FAILED */
       return -1;
    }

If mmap fails, 'mem' equals MAP_FAILED ((void*)-1).  Calling
munmap() on that is explicitly undefined behaviour per POSIX -
glibc happens to return -1 with EINVAL today but there is no
guarantee, and a future libc / sanitiser is entirely within its
rights to trap.

Fix: guard the munmap with 'if (mem != MAP_FAILED)'.  The
malloc-failure path (saved_state-&gt;mem == NULL) is separately
fine: the memory never got allocated so there's nothing to
munmap, and saved_state itself is freed later by omapfb_free()
when the caller's fail_omapfb label runs.

=== Thread-safety ===

None of the three functions cross threads.  dispmanx and drm
surface setup run during video-driver init; omap backup_state
also runs at init.  No lock discipline changes.

=== Reachability ===

All three files are embedded-platform gfx backends with narrow
audience:
  - dispmanx_gfx: Raspberry Pi legacy VideoCore IV
  - drm_gfx: bare-metal DRM/KMS (PiKISS, some retro handhelds)
  - omap_gfx: TI OMAP (N900, Pandora, older Beagleboard)

OOM on these platforms is realistic - they typically have
128-512MB of total RAM and run on top of memory-tight minimal
images.  The dispmanx/drm OOM paths are hit on initial video
init and also on every core-triggered surface re-setup for
resolution changes.
diff --git a/gfx/drivers/dispmanx_gfx.c b/gfx/drivers/dispmanx_gfx.c
@@ -239,6 +239,18 @@ static void dispmanx_surface_setup(struct dispmanx_video *_dispvars,
 
    surface = *sp;
 
+   /* NULL-check the outer calloc: the next dozen lines of
+    * surface->... field writes would NULL-deref on OOM.  This
+    * function is void-returning, so callers can't see an error
+    * code - they have to notice *sp == NULL themselves.  None of
+    * the three current callers (lines 367, 464, 518) do that,
+    * but letting the function no-op on OOM is still strictly
+    * better than a segfault, and a subsequent
+    * dispmanx_surface_update_async(..., *sp) would also no-op
+    * on a NULL surface. */
+   if (!surface)
+      return;
+
    /* Setup surface parameters */
    surface->numpages = numpages;
    /* We receive the pitch for what we consider "useful info",
@@ -255,6 +267,18 @@ static void dispmanx_surface_setup(struct dispmanx_video *_dispvars,
     * and initialize variables inside each page's struct. */
    surface->pages = calloc(surface->numpages, sizeof(struct dispmanx_page));
 
+   /* NULL-check the pages calloc as well.  The for-loop below
+    * indexes into surface->pages unconditionally.  On OOM undo
+    * the outer surface allocation so the caller gets a NULL
+    * pointer back consistent with the initial-alloc failure
+    * above. */
+   if (!surface->pages)
+   {
+      free(surface);
+      *sp = NULL;
+      return;
+   }
+
    for (i = 0; i < surface->numpages; i++)
    {
       surface->pages[i].used = false;
diff --git a/gfx/drivers/drm_gfx.c b/gfx/drivers/drm_gfx.c
@@ -232,6 +232,16 @@ static void drm_surface_setup(void *data,  int src_width, int src_height,
 
    surface = *sp;
 
+   /* NULL-check the outer calloc: the surface->... field writes
+    * below would NULL-deref on OOM.  Sibling bug to the one in
+    * dispmanx_surface_setup - the two routines share this
+    * structure (output-pointer + void return) and both had the
+    * same missing checks.  void-returning so callers can't see
+    * an error code; letting the function no-op on OOM beats a
+    * segfault. */
+   if (!surface)
+      return;
+
    /* Setup surface parameters */
    surface->numpages = numpages;
    /* We receive the total pitch, including things that are
@@ -252,6 +262,16 @@ static void drm_surface_setup(void *data,  int src_width, int src_height,
    surface->pages = (struct drm_page*)
       calloc(surface->numpages, sizeof(struct drm_page));
 
+   /* Same NULL-check for the pages array.  Undo the outer
+    * surface allocation on OOM to give callers a consistent
+    * NULL. */
+   if (!surface->pages)
+   {
+      free(surface);
+      *sp = NULL;
+      return;
+   }
+
    for (i = 0; i < surface->numpages; i++)
    {
       surface->pages[i].used            = false;
diff --git a/gfx/drivers/omap_gfx.c b/gfx/drivers/omap_gfx.c
@@ -370,7 +370,15 @@ static int omapfb_backup_state(omapfb_data_t *pdata)
    if (!pdata->saved_state->mem || mem == MAP_FAILED)
    {
       RARCH_ERR("[Omap] Backup layer (mem backup) failed.\n");
-      munmap(mem, pdata->saved_state->mi.size);
+      /* Only munmap if mmap actually succeeded.  munmap(MAP_FAILED, ...)
+       * is undefined per POSIX - MAP_FAILED is (void*)-1 and any
+       * implementation-specific behaviour it triggers is no guarantee
+       * against a future libc flagging it as an error or crashing.
+       * The malloc failure path separately leaves saved_state->mem
+       * as NULL; it gets cleaned up by omapfb_free() via the caller's
+       * fail_omapfb goto. */
+      if (mem != MAP_FAILED)
+         munmap(mem, pdata->saved_state->mi.size);
       return -1;
    }
    memcpy(pdata->saved_state->mem, mem, pdata->saved_state->mi.size);
