libretro-common/queues: NULL-check allocations in generic_queue and task_queue

LibretroAdmin · LibretroAdmin · commit 8521da98862c · 2026-04-23T22:07:07.000+02:00
Several call sites in the queue implementation code allocated a
struct then immediately dereferenced it with no NULL check,
segfaulting on OOM:

  * generic_queue_push (line 79): calloc then 5 field writes.
    Also was missing the 'if (!queue) return' check that the
    sibling generic_queue_shift has at line 134.
  * generic_queue_shift (line 137): same as _push.
  * generic_queue_iterator (line 217): malloc then 3 field writes.
  * retro_task_regular_retrieve (task_queue.c line 312): malloc +
    malloc back-to-back, then field writes on info.  The inner
    info-&gt;data malloc additionally fed into data-&gt;func which is
    free to dereference it.

All four are void-returning or NULL-returning, so the appropriate
OOM behaviour is a silent skip / NULL return.  length and the
first_item/last_item chain stay consistent on skip because we
return before incrementing anything.
diff --git a/libretro-common/queues/generic_queue.c b/libretro-common/queues/generic_queue.c
@@ -76,7 +76,21 @@ void generic_queue_push(generic_queue_t *queue, void *value)
 {
    struct generic_queue_item_t *new_item;
 
-   new_item = (struct generic_queue_item_t *)calloc(1, sizeof(struct generic_queue_item_t));
+   /* NULL-check queue: the sibling generic_queue_shift does this
+    * too, but _push was missing it.  new_item->previous = queue->
+    * last_item on a NULL queue would segfault. */
+   if (!queue)
+      return;
+
+   /* NULL-check calloc: the subsequent new_item->value / ->previous
+    * / ->next assignments would all segfault on OOM.  The function
+    * returns void, so we can't signal failure to the caller; a
+    * silent no-op on OOM is the only option.  length stays
+    * unchanged, which keeps the length/first_item/last_item
+    * invariant consistent. */
+   if (!(new_item = (struct generic_queue_item_t *)calloc(1, sizeof(struct generic_queue_item_t))))
+      return;
+
    new_item->value = value;
    new_item->previous = queue->last_item;
    new_item->next = NULL;
@@ -134,7 +148,14 @@ void generic_queue_shift(generic_queue_t *queue, void *value)
    if (!queue)
       return;
 
-   new_item = (struct generic_queue_item_t *)calloc(1, sizeof(struct generic_queue_item_t));
+   /* NULL-check calloc: the subsequent field writes would all
+    * segfault on OOM.  Same silent-no-op-on-OOM approach as
+    * generic_queue_push.  length and the first_item/last_item
+    * invariant stay consistent because we return before touching
+    * either. */
+   if (!(new_item = (struct generic_queue_item_t *)calloc(1, sizeof(struct generic_queue_item_t))))
+      return;
+
    new_item->value = value;
    new_item->previous = NULL;
    new_item->next = queue->first_item;
@@ -214,7 +235,13 @@ generic_queue_iterator_t *generic_queue_iterator(generic_queue_t *queue, bool fo
    {
       generic_queue_iterator_t *iterator;
 
-      iterator = (generic_queue_iterator_t *)malloc(sizeof(generic_queue_iterator_t));
+      /* NULL-check malloc: the three field writes below would
+       * segfault on OOM.  The function already returns NULL for
+       * the empty-queue / NULL-queue case below, so returning
+       * NULL on OOM is consistent with the existing contract. */
+      if (!(iterator = (generic_queue_iterator_t *)malloc(sizeof(generic_queue_iterator_t))))
+         return NULL;
+
       iterator->queue = queue;
       iterator->item = forward ? queue->first_item : queue->last_item;
       iterator->forward = forward;
diff --git a/libretro-common/queues/task_queue.c b/libretro-common/queues/task_queue.c
@@ -308,10 +308,21 @@ static void retro_task_regular_retrieve(task_retriever_data_t *data)
       if (task->handler != data->handler)
          continue;
 
-      /* Create new link */
-      info       = (task_retriever_info_t*)
-         malloc(sizeof(task_retriever_info_t));
-      info->data = malloc(data->element_size);
+      /* Create new link.  NULL-check both allocations: the previous
+       * form dereferenced info on the very next line, and passed
+       * info->data (potentially NULL from the second malloc) into
+       * data->func which is free to dereference it.  On OOM just
+       * skip this task - the retriever already tolerates tasks
+       * being absent from the result list (data->func returning
+       * false is the documented 'skip' signal). */
+      if (!(info = (task_retriever_info_t*)
+            malloc(sizeof(task_retriever_info_t))))
+         continue;
+      if (!(info->data = malloc(data->element_size)))
+      {
+         free(info);
+         continue;
+      }
       info->next = NULL;
 
       /* Call retriever function and fill info-specific data */
