tasks/database: null-check malloc and plug leak in manual-scan rdb path setup

LibretroAdmin · LibretroAdmin · commit aeaaa2307249 · 2026-04-23T20:23:42.000+02:00
task_manual_content_scan_handler has a one-time setup block that
builds the path to the selected .rdb file when db_selection ==
MANUAL_CONTENT_SCAN_SELECT_DB_SPECIFIC. It heap-allocates two
PATH_MAX_LENGTH buffers:

    char* rdb_name     = (char*)malloc(str_len);
    char* rdb_fullpath = (char*)malloc(str_len);

and then immediately passes them to fill_pathname / fill_pathname_join_special.
Neither of those helpers guards against a NULL destination (both call
strlcpy(s, ...) on their first argument with no check), so if either
malloc fails the subsequent call segfaults.

Additionally, the adjacent goto task_finished triggered by
'string_list_new failure' walked out of the block without freeing
rdb_name / rdb_fullpath, leaking ~8 KiB on that OOM path.

Three-part fix:

  * After the two mallocs, check both and take the task_finished exit
    if either failed, freeing whichever one did succeed (free(NULL)
    is defined as a no-op, so no conditional needed on the companion
    buffer).

  * On the pre-existing 'string_list_new failed' exit, free the two
    buffers before taking task_finished.

  * Drop the redundant 'if (rdb_name) free(rdb_name);' /
    'if (rdb_fullpath) free(rdb_fullpath);' on the success path; the
    NULL-check is already implied by free's own semantics, so the
    conditionals are noise that misleads readers into thinking the
    pointers might legitimately be NULL by this point.

Scope: this only runs once per manual content scan (it's inside the
initialisation branch that executes when dbstate-&gt;list is still NULL),
so the fix is correctness-only, not performance.

Thread-safety: unchanged. Task handler runs on the task worker
thread; the mallocs, buffers, and dbstate are all local-or-owned by
this task. No shared state touched.

Separately: a longer-standing TODO at line 901 in
database_info_list_iterate_found_match flags two per-match
PATH_MAX_LENGTH heap allocations as 'needlessly large'. That one's
more complicated because db_crc there can legitimately grow to the
full PATH_MAX (carries db_state-&gt;serial which is declared as
char[4096]), so shrinking it would need auditing all serial sources
for their real max length. Deferred.
diff --git a/tasks/task_database.c b/tasks/task_database.c
@@ -1919,6 +1919,21 @@ static void task_manual_content_scan_handler(retro_task_t *task)
                         union string_list_elem_attr attr;
                         attr.i = 0;
 
+                        /* Bail out if either heap allocation failed.
+                         * fill_pathname and fill_pathname_join_special
+                         * both call strlcpy on their destination buffer
+                         * with no NULL guard, so proceeding with a NULL
+                         * rdb_name / rdb_fullpath would segfault.  Free
+                         * the one that did succeed (free(NULL) is a
+                         * no-op so no conditional needed) before taking
+                         * the task-finished exit. */
+                        if (!rdb_name || !rdb_fullpath)
+                        {
+                           free(rdb_name);
+                           free(rdb_fullpath);
+                           goto task_finished;
+                        }
+
                         fill_pathname(rdb_name,
                               manual_scan->task_config->database_name,
                               ".rdb", str_len);
@@ -1929,13 +1944,17 @@ static void task_manual_content_scan_handler(retro_task_t *task)
 
                         dbstate->list = string_list_new();
                         if (!dbstate->list)
-                           goto task_finished;
-                        string_list_append(dbstate->list, rdb_fullpath, attr);
-                        if (rdb_name)
+                        {
+                           /* Earlier code goto'd here without freeing
+                            * the two buffers above, leaking ~8 KiB on
+                            * this OOM path.  Free them explicitly. */
                            free(rdb_name);
-                        if (rdb_fullpath)
                            free(rdb_fullpath);
-
+                           goto task_finished;
+                        }
+                        string_list_append(dbstate->list, rdb_fullpath, attr);
+                        free(rdb_name);
+                        free(rdb_fullpath);
                      }
                      else
                      {
