runahead: fix OOM NULL-derefs in input-state tracking and savestate allocation

Five bugs in two call paths (input-state list management for
runahead's per-frame input replay, and the savestate ring
buffer).

=== runahead.c: input_list_element_constructor ===

    void *ptr                   = malloc(sizeof(input_list_element));
    input_list_element *element = (input_list_element*)ptr;

    element->port               = 0;          /* NULL-deref on OOM */
    ...
    element->state              = (int16_t*)calloc(NAME_MAX_LENGTH,
          sizeof(int16_t));
    element->state_size         = NAME_MAX_LENGTH;
    return ptr;

Two stacked unchecked allocs.  The outer malloc failure would
NULL-deref in the field writes immediately below.  The inner
calloc failure is subtler: ptr itself is still valid and would
be returned, but element->state = NULL while element->state_size
is set to a non-zero value (NAME_MAX_LENGTH).  The caller
(runahead_input_state_set_last) then does
'element->state[id] = value' on what looks like a valid element
and NULL-derefs.

Fix: NULL-check the outer malloc (return NULL for the caller,
which already handles it via 'if (element)').  NULL-check the
inner calloc, free the outer allocation, and return NULL
similarly.  Also moved the element->state_size = NAME_MAX_LENGTH
assignment to after the successful calloc so state/state_size
stay consistent.

=== runahead.c: input_list_element_realloc ===

    if (new_size > element->state_size)
    {
       element->state = (int16_t*)realloc(element->state,
             new_size * sizeof(int16_t));
       memset(&element->state[element->state_size], 0,
             (new_size - element->state_size) * sizeof(int16_t));
       element->state_size = new_size;
    }

Classic realloc-assign-self with no NULL check: on OOM
element->state becomes NULL, then '&element->state[element->
state_size]' performs pointer arithmetic on NULL (undefined
behaviour) and the memset traps on a garbage address.  This is
hit by runahead's per-frame input-state tracking any time a
port/device/index combination not previously seen encounters an
id beyond the element's current state buffer.

Fix: realloc-to-tmp, NULL-check the tmp, only commit the new
pointer and only update state_size on success.  Changed return
type from void to bool so callers can see the failure.

=== runahead.c: input_list_element_expand + callers ===

Propagate the realloc failure up through expand() (also now
returns bool) and gate the subsequent element->state[id] = value
writes in runahead_input_state_set_last on expand success.  Two
call-sites in that function (the lookup-hit branch and the
append-new-element branch) both now check:

    if (id >= element->state_size
          && !input_list_element_expand(element, id))
       return;
    element->state[id] = value;

Without the gate the pre-patch OOM path would write to state[id]
with state_size still too small, corrupting whatever followed the
state buffer in the heap.

=== runahead.c: runahead_save_state_alloc ===

    if (runloop_st->runahead_save_state_size > 0 && ...)
    {
       savestate->data       = malloc(runloop_st->runahead_save_state_size);
       savestate->data_const = savestate->data;
       savestate->size       = runloop_st->runahead_save_state_size;
    }

malloc unchecked and size is set regardless of alloc outcome.
On OOM: savestate->data is NULL but savestate->size equals the
full requested size.  Downstream readers treat that as a valid
buffer of that size and dereference data.

Fix: only set savestate->size on successful alloc.  Keeps the
NULL-data/zero-size invariant that the function's own pre-loop
initialisation (data=NULL, data_const=NULL, size=0) already
establishes for the 'not runahead' case.  runahead_save_state_free
correctly handles free(NULL) on the data pointer so the empty
placeholder teardown is safe.

=== Thread-safety ===

All four functions run on the runloop/main thread (runahead
state is single-threaded with respect to the input/runloop
subsystem).  No lock discipline changes.

=== Reachability ===

  * input_list_element_{constructor,realloc,expand}: hit every
    time a core polls a new input id for a port/device/index
    combination during runahead frames.  For cores with many
    input bindings (arcade, racing wheels with button banks,
    multi-tap console setups), the id space grows quickly.
    OOM at the initial NAME_MAX_LENGTH (typically 4096) calloc
    is unlikely on desktops but realistic on memory-tight
    embedded targets running runahead with a memory-hungry core.

  * runahead_save_state_alloc: runs once per runahead frame
    slot at init, plus on every core-requested savestate size
    change.  runahead_save_state_size can be multi-MB on
    modern emulator cores, making the alloc a realistic OOM
    site on 128-512MB handhelds.

=== Scope ===

Five bugs in two adjacent-ish functions, all OOM-related, all
in runahead.c.  Left the preempt_allocate at line ~1380 alone -
that function does NULL-check its per-frame malloc and
preempt_deinit's 'for i < preempt->frames; free(buffer[i])'
loop correctly handles the partial-init case because preempt
itself is calloc'd (unallocated buffer[i] slots are NULL and
free(NULL) is safe).

Author: LibretroAdmin

runahead.c

@@ -717,40 +717,69 @@ static void mylist_create(my_list **list_p, int initial_capacity,
 static void *input_list_element_constructor(void)
 {
    void *ptr                   = malloc(sizeof(input_list_element));
-   input_list_element *element = (input_list_element*)ptr;
+   input_list_element *element;
+
+   /* NULL-check the outer malloc: the field writes below
+    * (port/device/index/state_size) would NULL-deref on OOM.
+    * The caller (runahead_input_state_set_last) already tolerates
+    * a NULL return: 'if (element) { ... }'.  mylist_resize also
+    * tolerates a NULL constructor result - it just leaves
+    * list->data[i] = NULL. */
+   if (!ptr)
+      return NULL;
 
+   element                     = (input_list_element*)ptr;
    element->port               = 0;
    element->device             = 0;
    element->index              = 0;
    element->state              = (int16_t*)calloc(NAME_MAX_LENGTH,
          sizeof(int16_t));
+   /* NULL-check the inner calloc too.  If it fails the caller's
+    * 'element->state[id] = value' NULL-derefs.  No way to signal
+    * partial-failure through the constructor callback's return
+    * type, so free the outer allocation and return NULL to match
+    * the outer-OOM behaviour. */
+   if (!element->state)
+   {
+      free(ptr);
+      return NULL;
+   }
    element->state_size         = NAME_MAX_LENGTH;
 
    return ptr;
 }
 
-static void input_list_element_realloc(input_list_element *element,
+static bool input_list_element_realloc(input_list_element *element,
       unsigned int new_size)
 {
    if (new_size > element->state_size)
    {
-      element->state = (int16_t*)realloc(element->state,
+      /* realloc-to-tmp: the pre-patch 'element->state = realloc(
+       * element->state, ...)' self-assigns NULL on OOM, which
+       * then made the very next line '&element->state[element->
+       * state_size]' perform pointer arithmetic on NULL (UB) and
+       * the memset trap on a garbage address. */
+      int16_t *tmp = (int16_t*)realloc(element->state,
             new_size * sizeof(int16_t));
+      if (!tmp)
+         return false;
+      element->state = tmp;
       memset(&element->state[element->state_size], 0,
             (new_size - element->state_size) * sizeof(int16_t));
       element->state_size = new_size;
    }
+   return true;
 }
 
-static void input_list_element_expand(input_list_element *element,
+static bool input_list_element_expand(input_list_element *element,
       unsigned int new_index)
 {
    unsigned int new_size = element->state_size;
    if (new_size == 0)
       new_size = 32;
    while (new_index >= new_size)
       new_size *= 2;
-   input_list_element_realloc(element, new_size);
+   return input_list_element_realloc(element, new_size);
 }
 
 static void input_list_element_destructor(void* element_ptr)
@@ -785,8 +814,12 @@ static void runahead_input_state_set_last(
             && (element->index  == index)
          )
       {
-         if (id >= element->state_size)
-            input_list_element_expand(element, id);
+         /* Gate the state[id] write on expand success: if expand
+          * OOM'd, state_size is still too small and writing to
+          * state[id] would corrupt memory past the buffer. */
+         if (id >= element->state_size
+               && !input_list_element_expand(element, id))
+            return;
          element->state[id] = value;
          return;
       }
@@ -801,8 +834,10 @@ static void runahead_input_state_set_last(
       element->port         = port;
       element->device       = device;
       element->index        = index;
-      if (id >= element->state_size)
-         input_list_element_expand(element, id);
+      /* Same expand-OOM guard as the lookup branch above. */
+      if (id >= element->state_size
+            && !input_list_element_expand(element, id))
+         return;
       element->state[id]    = value;
    }
 }
@@ -917,7 +952,18 @@ static void *runahead_save_state_alloc(void)
    {
       savestate->data       = malloc(runloop_st->runahead_save_state_size);
       savestate->data_const = savestate->data;
-      savestate->size       = runloop_st->runahead_save_state_size;
+      /* Only record a non-zero size on successful alloc.  Pre-
+       * patch: on OOM data was left NULL but size was set to the
+       * requested value, which made downstream consumers treat
+       * the entry as a valid serialized-state buffer of that
+       * size and dereference data when reading.  Keeping size=0
+       * on failure matches the initial-state invariant above
+       * (data/data_const = NULL, size = 0) and makes the
+       * savestate a no-op placeholder that teardown
+       * (runahead_save_state_free) correctly handles via its
+       * free(savestate->data) with NULL being a safe no-op. */
+      if (savestate->data)
+         savestate->size    = runloop_st->runahead_save_state_size;
    }
 
    return savestate;