libretro-db/rmsgpack: fix buffer overflow in RDT_BINARY read_into path

LibretroAdmin · LibretroAdmin · commit 91eba66b26b2 · 2026-04-23T18:07:52.000+02:00
In rmsgpack_dom_read_into's RDT_BINARY case, the caller's buffer
capacity (passed in via *uint_value) was being overwritten with the
source field's length before the bound-check min() was evaluated:

    *uint_value    = value-&gt;val.binary.len;        /* clobber */
    min_len        = (value-&gt;val.binary.len &gt; *uint_value) ?
                        *uint_value : value-&gt;val.binary.len;
    memcpy(buff_value, value-&gt;val.binary.buff, min_len);

After the clobber, the comparison collapses to 'len &gt; len' which is
always false, so min_len always equals the source length and the
memcpy copies the full on-disk binary blob regardless of the caller's
buffer size. With an attacker-crafted libretro-db file (or a
corrupted one), this is a heap/stack buffer overflow sized by
untrusted input.

The sibling RDT_STRING case had the correct order (compute min_len
first using source_len and *uint_value, then write min_len back to
*uint_value). Apply the same ordering to RDT_BINARY.

Reachability: no caller of rmsgpack_dom_read_into currently requests
an RDT_BINARY field - the two call sites in libretrodb.c request only
RDT_UINT and RDT_STRING. So the bug is latent: fixing it now means
that whenever someone legitimately adds an RDT_BINARY field to a db
schema and wires up a read_into call, they won't silently inherit an
overflow.

Behavior change: none for callers whose buffer is at least as large
as the on-disk value (min_len collapses to source length either way).
Overflow prevented when the on-disk length exceeds caller's buffer;
the caller's *uint_value is set to the actual number of bytes copied,
mirroring the RDT_STRING contract.

Thread-safety: none affected. The function operates on a stack-local
va_list and a stack-local map tree; writes go through caller-provided
pointers. No shared state.
diff --git a/libretro-db/rmsgpack_dom.c b/libretro-db/rmsgpack_dom.c
@@ -506,9 +506,15 @@ int rmsgpack_dom_read_into(intfstream_t *fd, ...)
             case RDT_BINARY:
                buff_value     = va_arg(ap, char *);
                uint_value     = va_arg(ap, uint64_t *);
-               *uint_value    = value->val.binary.len;
+               /* *uint_value is the caller's buffer capacity on entry
+                * and the number of bytes copied on exit.  Compute the
+                * clamped copy length BEFORE overwriting *uint_value,
+                * otherwise the bound check collapses to len > len and
+                * the memcpy can overrun the caller's buffer with
+                * attacker-controlled length from the db file. */
                min_len        = (value->val.binary.len > *uint_value) ?
                   *uint_value : value->val.binary.len;
+               *uint_value    = min_len;
 
                memcpy(buff_value, value->val.binary.buff, (size_t)min_len);
                break;
