test/libretro-db: regression test for rmsgpack length-field guards + CI

LibretroAdmin · LibretroAdmin · commit 45699e26fa86 · 2026-04-27T22:37:54.000+02:00
Adds libretro-db/samples/rmsgpack/rmsgpack_overflow_test, a self-contained regression test for the three preceding commits (b701dbb, ee37153, a22e6fc). Seven cases: - STR32 with len 0xFFFFFFFE on a 5-byte stream (rejected) - MAP32 with len 0x10000000 on a 5-byte stream (rejected) - ARRAY32 with len 0xFFFFFFFF on a 5-byte stream (rejected) - Truncated ARRAY16 claiming 10 entries with 5 available (rejected) - Valid fixmap of 2 entries with valid contents (accepted) - Valid ARRAY16 of 4 fixints (accepted) - Valid maximal STR8 (len 0xFF) with that many bytes (accepted) Verified to discriminate pre/post-patch: against b701dbb~1's rmsgpack.c the STR32 case segfaults under tight memory limits (ulimit -v 524288: malloc(0xFFFFFFFF) returns NULL, the unchecked *pbuff = ... is dereferenced); against the patched code all seven cases pass. The test follows the existing samples/ pattern (plain C, asserts manually, exit nonzero on failure) rather than libcheck because that's what the existing CI harness in .github/workflows/Linux-libretro-common-samples.yml understands. Uses intfstream_open_memory so the test needs no filesystem fixtures and the size-bound path fires (memory streams report a known size). Adds a sibling workflow Linux-libretro-db-samples.yml that walks libretro-db/samples/, builds every Makefile-rooted directory, and runs targets named in its RUN_TARGETS allowlist. The workflow is a near-verbatim copy of the libretro-common-samples one with the working-directory changed and an empty initial RUN_TARGETS allow- list except for rmsgpack_overflow_test; new tests added under libretro-db/samples/ in the future just need their Makefile target appended to that allowlist. Tested locally: the workflow's bash logic builds the test, runs it, and the test reports all 7 SUCCESS lines and exits 0. Build takes ~6 seconds on Ubuntu 24 with system gcc and zlib1g-dev.
diff --git a/.github/workflows/Linux-libretro-db-samples.yml b/.github/workflows/Linux-libretro-db-samples.yml
@@ -0,0 +1,151 @@
+name: CI Linux libretro-db samples
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+
+jobs:
+  samples:
+    name: Build and run libretro-db/samples
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Install dependencies
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y build-essential zlib1g-dev
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Build and run samples
+        shell: bash
+        working-directory: libretro-db/samples
+        run: |
+          set -u
+          set -o pipefail
+
+          # Samples whose binary, when invoked with no arguments, runs a
+          # self-contained test and exits 0 on success / non-zero on
+          # failure.  These are built AND executed.
+          declare -a RUN_TARGETS=(
+            rmsgpack_overflow_test
+          )
+
+          # Per-binary run command (overrides ./<binary> if present).
+          declare -A RUN_ENV=()
+
+          # Samples that are build-only.
+          declare -a BUILD_ONLY_DIRS=(
+          )
+
+          # Samples that are currently broken at build time on a stock
+          # Ubuntu host and are therefore neither built nor run.
+          declare -a SKIP_DIRS=(
+          )
+
+          is_in() {
+            local needle=$1; shift
+            local h
+            for h in "$@"; do [[ "$h" == "$needle" ]] && return 0; done
+            return 1
+          }
+
+          fails=0
+          builds=0
+          runs=0
+
+          # Collect all Makefile directories (one or two levels deep).
+          mapfile -t MKDIRS < <(find . -name Makefile -printf '%h\n' | sort)
+
+          printf '\n==> %d sample directories found\n' "${#MKDIRS[@]}"
+          for d in "${MKDIRS[@]}"; do printf '    %s\n' "${d#./}"; done
+          printf '\n'
+
+          for d in "${MKDIRS[@]}"; do
+            rel=${d#./}
+            printf '========================================\n'
+            printf '[%s] %s\n' "$(is_in "$rel" "${SKIP_DIRS[@]}" && echo skip || echo build)" "$rel"
+            printf '========================================\n'
+
+            if is_in "$rel" "${SKIP_DIRS[@]}"; then
+              printf '[skip] %s is on the skip list\n\n' "$rel"
+              continue
+            fi
+
+            # Build
+            if ! ( cd "$d" && make clean all ); then
+              printf '\n::error title=Build failed::%s failed to build\n' "$rel"
+              fails=$((fails+1))
+              continue
+            fi
+            builds=$((builds+1))
+
+            # Skip run for build-only dirs
+            if is_in "$rel" "${BUILD_ONLY_DIRS[@]}"; then
+              printf '[skip-run] %s (build-only list)\n\n' "$rel"
+              continue
+            fi
+
+            # Extract targets from Makefile.  Handles:
+            #   TARGET := foo
+            #   TARGETS = a b c
+            #   TARGET_TEST := foo_test
+            #   TARGET_TEST2 := foo_test2
+            mapfile -t targets < <(
+              grep -hE '^(TARGET|TARGETS|TARGET_TEST[0-9]*)[[:space:]]*[:?]?=' "$d/Makefile" \
+              | sed -E 's/^[^=]*=[[:space:]]*//' \
+              | tr -s ' \t' '\n' \
+              | grep -v '^$' \
+              | sort -u
+            )
+
+            for t in "${targets[@]}"; do
+              if ! is_in "$t" "${RUN_TARGETS[@]}"; then
+                printf '[skip-run] %s/%s (not in run allowlist)\n' "$rel" "$t"
+                continue
+              fi
+
+              bin="$d/$t"
+              if [[ ! -x "$bin" ]]; then
+                printf '::error title=Missing binary::%s was in the run allowlist but %s does not exist after build\n' "$t" "$bin"
+                fails=$((fails+1))
+                continue
+              fi
+
+              extra_env=${RUN_ENV[$t]:-}
+
+              printf '\n[run] %s\n' "$bin"
+              if ( cd "$d" && env $extra_env timeout 60 "./$t" ); then
+                printf '[pass] %s\n\n' "$t"
+                runs=$((runs+1))
+              else
+                rc=$?
+                printf '\n::error title=Test failed::%s exited with status %d\n' "$t" "$rc"
+                fails=$((fails+1))
+              fi
+            done
+          done
+
+          printf '========================================\n'
+          printf 'Summary\n'
+          printf '========================================\n'
+          printf '  Built: %d\n' "$builds"
+          printf '  Ran:   %d\n' "$runs"
+          printf '  Failed: %d\n' "$fails"
+
+          if [[ $fails -gt 0 ]]; then
+            exit 1
+          fi
diff --git a/libretro-db/libretrodb.c b/libretro-db/libretrodb.c
@@ -196,6 +196,7 @@ int libretrodb_open(const char *path, libretrodb_t *db, bool write)
 {
    libretrodb_header_t header;
    libretrodb_metadata_t md;
+   int64_t       file_size;
    unsigned mode = write ? RETRO_VFS_FILE_ACCESS_READ_WRITE | RETRO_VFS_FILE_ACCESS_UPDATE_EXISTING : RETRO_VFS_FILE_ACCESS_READ;
    intfstream_t *fd = intfstream_open_file(path, mode, RETRO_VFS_FILE_ACCESS_HINT_NONE);
    db->can_write = write;
@@ -215,8 +216,26 @@ int libretrodb_open(const char *path, libretrodb_t *db, bool write)
       goto error;
 
    header.metadata_offset = swap_if_little64(header.metadata_offset);
-   intfstream_seek(fd, (ssize_t)header.metadata_offset,
-         RETRO_VFS_SEEK_POSITION_START);
+
+   /* Pre-patch the metadata_offset field was an attacker-
+    * controlled uint64 from the .rdb header, cast to ssize_t and
+    * fed straight to intfstream_seek without any bounds check.
+    * On 32-bit that cast truncates; on 64-bit a value past EOF
+    * left the stream in a state where the subsequent
+    * rmsgpack_dom_read_into either failed cleanly or, depending
+    * on the VFS implementation's seek-past-EOF semantics, read
+    * stale buffered bytes.
+    *
+    * Reject metadata_offset that doesn't fit in the actual file
+    * (must leave room for at least the 1-byte fixmap header). */
+   file_size = intfstream_get_size(fd);
+   if (file_size < 0)
+      goto error;
+   if (header.metadata_offset >= (uint64_t)file_size)
+      goto error;
+   if (intfstream_seek(fd, (ssize_t)header.metadata_offset,
+         RETRO_VFS_SEEK_POSITION_START) < 0)
+      goto error;
 
    if (rmsgpack_dom_read_into(fd, "count", &md.count, NULL) < 0)
       goto error;
diff --git a/libretro-db/rmsgpack.c b/libretro-db/rmsgpack.c
@@ -387,11 +387,44 @@ static int rmsgpack_read_buff(intfstream_t *fd, size_t size, char **pbuff, uint6
 {
    ssize_t read_len;
    uint64_t tmp_len   = 0;
+   int64_t  remaining;
+   int64_t  here;
+   int64_t  total;
 
    if (rmsgpack_read_uint(fd, &tmp_len, size) == -1)
       return -1;
 
+   /* Pre-patch tmp_len was an attacker-controlled uint64 fed
+    * directly into malloc((size_t)(tmp_len + 1)).  Three
+    * problems:
+    *   - tmp_len = UINT64_MAX wraps to malloc(0) returning a
+    *     small block; the subsequent intfstream_read with
+    *     (size_t)UINT64_MAX bytes would heap-overflow on any
+    *     stream that could deliver them.
+    *   - tmp_len = 0xFFFFFFFE forces a ~4 GiB malloc on 64-bit
+    *     (which Linux overcommit happily grants) for a 5-byte
+    *     STR32 input, OOM-killing the process.  On 32-bit the
+    *     (size_t) cast truncates and creates a heap overflow.
+    *   - Even when malloc returns NULL the code dereferenced
+    *     *pbuff at line 396 and (*pbuff)[read_len] at line 404.
+    *
+    * Fix: bound tmp_len against the remaining bytes in the
+    * stream (a buffer can't legitimately claim more bytes than
+    * are left to read), reject the SIZE_MAX edge to avoid the
+    * +1 wrap, and NULL-check the malloc. */
+   here  = intfstream_tell(fd);
+   total = intfstream_get_size(fd);
+   if (here < 0 || total < 0 || here > total)
+      return -1;
+   remaining = total - here;
+   if (tmp_len > (uint64_t)remaining)
+      return -1;
+   if (tmp_len >= (uint64_t)((size_t)-1))
+      return -1;
+
    *pbuff             = (char *)malloc((size_t)(tmp_len + 1) * sizeof(char));
+   if (!*pbuff)
+      return -1;
 
    if ((read_len      = intfstream_read(fd, *pbuff, (size_t)tmp_len)) == -1)
    {
@@ -412,6 +445,29 @@ static int rmsgpack_read_map(intfstream_t *fd, uint32_t len,
 {
    int rv;
    unsigned i;
+   int64_t  here, total;
+
+   /* Pre-patch len was an attacker-controlled uint32 from the
+    * file (MAP16 or MAP32 header) handed straight to the callback
+    * which calloc'd 'len * sizeof(rmsgpack_dom_pair)' (~80 bytes
+    * per pair).  A 5-byte MAP32 header '0xdf 0x10 0x00 0x00 0x00'
+    * (len = 2^28) demanded a ~21 GiB calloc, OOM-killing the
+    * process.  Even where calloc succeeded, the subsequent
+    * iteration recursed into rmsgpack_read len times, doubling
+    * the dom reader stack on each recursion until it ran out.
+    *
+    * A map cannot legitimately claim more entries than the
+    * stream has bytes left to encode them: the smallest possible
+    * key+value pair is 2 bytes (one type byte each).  Reject
+    * len > remaining_bytes / 2. */
+   here  = intfstream_tell(fd);
+   total = intfstream_get_size(fd);
+   if (here >= 0 && total >= 0 && here <= total)
+   {
+      uint64_t remaining = (uint64_t)(total - here);
+      if ((uint64_t)len > remaining / 2u)
+         return -1;
+   }
 
    if (     (     callbacks->read_map_start)
          && (rv = callbacks->read_map_start(len, data)) < 0)
@@ -433,6 +489,20 @@ static int rmsgpack_read_array(intfstream_t *fd, uint32_t len,
 {
    int rv;
    unsigned i;
+   int64_t  here, total;
+
+   /* Same primitive as rmsgpack_read_map above.  Smallest
+    * possible array element is 1 byte (a fixint), so len cannot
+    * legitimately exceed the number of bytes left in the
+    * stream. */
+   here  = intfstream_tell(fd);
+   total = intfstream_get_size(fd);
+   if (here >= 0 && total >= 0 && here <= total)
+   {
+      uint64_t remaining = (uint64_t)(total - here);
+      if ((uint64_t)len > remaining)
+         return -1;
+   }
 
    if (     (     callbacks->read_array_start)
          && (rv = callbacks->read_array_start(len, data)) < 0)
diff --git a/libretro-db/samples/rmsgpack/Makefile b/libretro-db/samples/rmsgpack/Makefile
@@ -0,0 +1,41 @@
+TARGET := rmsgpack_overflow_test
+
+LIBRETRODB_DIR    := ../..
+LIBRETRO_COMM_DIR := ../../../libretro-common
+
+SOURCES := \
+	rmsgpack_overflow_test.c \
+	$(LIBRETRODB_DIR)/rmsgpack.c \
+	$(LIBRETRODB_DIR)/rmsgpack_dom.c \
+	$(LIBRETRO_COMM_DIR)/streams/interface_stream.c \
+	$(LIBRETRO_COMM_DIR)/streams/file_stream.c \
+	$(LIBRETRO_COMM_DIR)/streams/memory_stream.c \
+	$(LIBRETRO_COMM_DIR)/compat/compat_strl.c \
+	$(LIBRETRO_COMM_DIR)/compat/fopen_utf8.c \
+	$(LIBRETRO_COMM_DIR)/encodings/encoding_utf.c \
+	$(LIBRETRO_COMM_DIR)/encodings/encoding_crc32.c \
+	$(LIBRETRO_COMM_DIR)/file/file_path.c \
+	$(LIBRETRO_COMM_DIR)/file/file_path_io.c \
+	$(LIBRETRO_COMM_DIR)/string/stdstring.c \
+	$(LIBRETRO_COMM_DIR)/time/rtime.c \
+	$(LIBRETRO_COMM_DIR)/vfs/vfs_implementation.c
+
+OBJS := $(SOURCES:.c=.o)
+
+CFLAGS  += -Wall -pedantic -std=gnu99 -g \
+           -I$(LIBRETRO_COMM_DIR)/include \
+           -I$(LIBRETRODB_DIR)
+LDFLAGS +=
+
+all: $(TARGET)
+
+%.o: %.c
+	$(CC) -c -o $@ $< $(CFLAGS)
+
+$(TARGET): $(OBJS)
+	$(CC) -o $@ $^ $(LDFLAGS)
+
+clean:
+	rm -f $(TARGET) $(OBJS)
+
+.PHONY: clean
diff --git a/libretro-db/samples/rmsgpack/rmsgpack_overflow_test.c b/libretro-db/samples/rmsgpack/rmsgpack_overflow_test.c
