libretro-common: harden archive/stream parsers + CI regressions

Three independent memory-safety / DoS fixes under libretro-common,
their regression tests, and a CI workflow update.

samples/net: fix undefined references in Makefile
  The net/ sample Makefile listed only a subset of the sources
  required to link its three binaries -- make all failed on
  strlcpy_retro__, string_list_*, fill_pathname_resolve_relative,
  cpu_features_get_time_usec, getnameinfo_retro.  Add the missing
  libretro-common sources so http_test, http_parse_test and
  net_ifinfo build on a vanilla Linux host.

file/archive_file_zstd: guard content_size truncation and overflow
  zstd_parse_file_iterate_step truncated the 64-bit content_size
  into a uint32_t without range check; a crafted .zst declaring
  content_size >= 2^32 truncated low-32 while ZSTD_decompress still

Author: LibretroAdmin

.github/workflows/Linux-libretro-common-samples.yml

@@ -51,10 +51,13 @@ jobs:
             snprintf
             unbase64_test
             archive_zip_test
+            archive_zstd_test
             config_file_test
             path_resolve_realpath_test
             nbio_test
             rpng
+            rzip_chunk_size_test
+            net_ifinfo
           )
 
           # Per-binary run command (overrides ./<binary> if present).
@@ -72,18 +75,11 @@ jobs:
           # regressions but not executed.
           declare -a BUILD_ONLY_DIRS=(
             formats/xml
-            streams/rzip
           )
 
           # Samples that are currently broken at build time on a stock
-          # Ubuntu host and are therefore neither built nor run.  The
-          # net/ Makefile references symbols (fill_pathname_resolve_relative,
-          # cpu_features_get_time_usec) without adding the corresponding
-          # source files to its SOURCES list; fixing that is out of
-          # scope for this workflow.  Remove from this list once the
-          # Makefile is corrected.
+          # Ubuntu host and are therefore neither built nor run.
           declare -a SKIP_DIRS=(
-            net
           )
 
           is_in() {
@@ -129,14 +125,16 @@ jobs:
               continue
             fi
 
-            # Extract targets from Makefile (handles both TARGET := foo
-            # and TARGETS = a b c).
+            # Extract targets from Makefile.  Handles:
+            #   TARGET := foo
+            #   TARGETS = a b c
+            #   TARGET_TEST := foo_test     (second target in same Makefile)
             mapfile -t targets < <(
-              grep -hE '^(TARGET|TARGETS)[[:space:]]*[:?]?=' "$d/Makefile" \
-              | head -1 \
+              grep -hE '^(TARGET|TARGETS|TARGET_TEST)[[:space:]]*[:?]?=' "$d/Makefile" \
               | sed -E 's/^[^=]*=[[:space:]]*//' \
               | tr -s ' \t' '\n' \
-              | grep -v '^$'
+              | grep -v '^$' \
+              | sort -u
             )
 
             for t in "${targets[@]}"; do

libretro-common/file/archive_file_zstd.c

@@ -21,6 +21,7 @@
  */
 
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 
 #include <boolean.h>
@@ -136,6 +137,12 @@ static int zstd_parse_file_iterate_step(void *context,
       || content_size == ZSTD_CONTENTSIZE_ERROR)
       return -1;
 
+   /* decompressed_size is a uint32_t and feeds a later malloc; reject
+    * values that would truncate to a smaller size and mismatch the
+    * actual ZSTD_decompress output length. */
+   if (content_size > UINT32_MAX)
+      return -1;
+
    ctx->decompressed_size = (uint32_t)content_size;
 
    strlcpy(userdata->current_file_path, ctx->inner_filename,
@@ -293,6 +300,17 @@ static int64_t zstd_file_read(
       return -1;
    }
 
+   /* Reject sizes that would overflow the "+1" NUL-byte allocation or
+    * truncate when cast to size_t on 32-bit hosts.  Without this guard
+    * content_size = 0xFFFFFFFF on a 32-bit host wraps the +1 to zero,
+    * malloc(0) may return a non-NULL pointer, and the following
+    * ZSTD_decompress writes 4 GiB into it. */
+   if (content_size >= SIZE_MAX)
+   {
+      free(compressed_data);
+      return -1;
+   }
+
    decompressed = (uint8_t*)malloc((size_t)(content_size + 1));
    if (!decompressed)
    {

libretro-common/samples/file/archive_zstd/Makefile

@@ -0,0 +1,20 @@
+TARGET := archive_zstd_test
+
+SOURCES := archive_zstd_test.c
+
+OBJS := $(SOURCES:.c=.o)
+
+CFLAGS += -Wall -pedantic -std=gnu99 -g -O0
+
+all: $(TARGET)
+
+%.o: %.c
+	$(CC) -c -o $@ $< $(CFLAGS)
+
+$(TARGET): $(OBJS)
+	$(CC) -o $@ $^ $(LDFLAGS)
+
+clean:
+	rm -f $(TARGET) $(OBJS)
+
+.PHONY: clean

libretro-common/samples/file/archive_zstd/archive_zstd_test.c

@@ -0,0 +1,173 @@
+/* Copyright  (C) 2010-2026 The RetroArch team
+ *
+ * ---------------------------------------------------------------------------------------
+ * The following license statement only applies to this file (archive_zstd_test.c).
+ * ---------------------------------------------------------------------------------------
+ *
+ * Permission is hereby granted, free of charge,
+ * to any person obtaining a copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation the rights to
+ * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
+ * and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+/* Contract test for archive_file_zstd content_size guards.
+ *
+ * Self-contained: does NOT link against libzstd or the archive
+ * backend.  The bugs being guarded against are arithmetic truncation
+ * and addition overflow on an attacker-controlled 64-bit value
+ * returned by ZSTD_getFrameContentSize(); the guards live in
+ * archive_file_zstd.c and are plain integer comparisons.
+ *
+ * This test is explicitly a CONTRACT test, not a regression test.
+ * It validates that the guard SPEC (as replicated in the oracle
+ * functions below) behaves correctly on boundary inputs.  It does
+ * NOT call into archive_file_zstd.c, so it cannot detect if someone
+ * later edits the real guards in a way that diverges from this spec.
+ *
+ * Why: a true regression test would need to link libzstd to exercise
+ * ZSTD_getFrameContentSize on a crafted frame, which would introduce
+ * an external dependency this samples tree does not otherwise carry.
+ * The contract test is the next-best thing within that constraint.
+ *
+ * What the real patched code does (keep these in sync with the
+ * oracle functions below):
+ *
+ *   zstd_parse_file_iterate_step() [iterate path]:
+ *       if (content_size > UINT32_MAX)
+ *           return -1;
+ *       ctx->decompressed_size = (uint32_t)content_size;
+ *
+ *   zstd_file_read() [decompress-in-place path]:
+ *       if (content_size >= SIZE_MAX)
+ *           return -1;
+ *       decompressed = malloc((size_t)(content_size + 1));
+ *
+ * If either real guard is ever edited, the corresponding oracle
+ * below must be updated to match or this test loses its value.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <limits.h>
+
+/* These match <zstd.h> but are reproduced here so we don't pull in
+ * the zstd headers.  Update if zstd ever redefines them. */
+#ifndef ZSTD_CONTENTSIZE_UNKNOWN
+#define ZSTD_CONTENTSIZE_UNKNOWN ((unsigned long long)0 - 1)
+#endif
+#ifndef ZSTD_CONTENTSIZE_ERROR
+#define ZSTD_CONTENTSIZE_ERROR   ((unsigned long long)0 - 2)
+#endif
+
+static int failures = 0;
+
+/* --- oracle: the patched iterate-path guard --------------------- *
+ * Must be kept in sync with archive_file_zstd.c:
+ *     zstd_parse_file_iterate_step.
+ * Returns 0 if the value is accepted, -1 if rejected.             */
+static int oracle_iterate_guard(unsigned long long content_size)
+{
+   if (   content_size == ZSTD_CONTENTSIZE_UNKNOWN
+       || content_size == ZSTD_CONTENTSIZE_ERROR)
+      return -1;
+   if (content_size > UINT32_MAX)
+      return -1;
+   return 0;
+}
+
+/* --- oracle: the patched read-path guard ------------------------ *
+ * Must be kept in sync with archive_file_zstd.c: zstd_file_read.  *
+ * Returns 0 if the value is accepted, -1 if rejected.             */
+static int oracle_read_guard(unsigned long long content_size)
+{
+   if (   content_size == ZSTD_CONTENTSIZE_UNKNOWN
+       || content_size == ZSTD_CONTENTSIZE_ERROR)
+      return -1;
+   if (content_size >= (unsigned long long)SIZE_MAX)
+      return -1;
+   return 0;
+}
+
+/* ================================================================ */
+
+typedef struct {
+   const char        *label;
+   unsigned long long value;
+   int                want_iterate;  /* expected oracle_iterate result */
+   int                want_read;     /* expected oracle_read result    */
+} case_t;
+
+int main(void)
+{
+   size_t i;
+   /* These cases exercise the boundaries the guards protect.  Each
+    * case lists the expected verdict for both the iterate path
+    * (uint32_t destination) and the read path (size_t + 1). */
+   case_t cases[] = {
+      /* label                           value                   iter  read */
+      { "zero",                           0,                       0,   0 },
+      { "typical small",                  1024,                    0,   0 },
+      { "100 MiB",                        100ULL * 1024 * 1024,    0,   0 },
+      { "UINT32_MAX exactly",             (unsigned long long)UINT32_MAX, 0,  0 },
+      { "UINT32_MAX + 1  (iterate trunc)",(unsigned long long)UINT32_MAX + 1, -1, 0 },
+      { "4 GiB  (iterate trunc)",         4ULL * 1024 * 1024 * 1024, -1, 0 },
+      { "2^63           (iterate trunc)", 1ULL << 63,               -1, 0 },
+      { "ZSTD_CONTENTSIZE_ERROR sentinel",ZSTD_CONTENTSIZE_ERROR,   -1, -1 },
+      { "ZSTD_CONTENTSIZE_UNKNOWN",       ZSTD_CONTENTSIZE_UNKNOWN, -1, -1 },
+      /* SIZE_MAX case -- on 64-bit, SIZE_MAX == ULLONG_MAX - 1,
+       * which equals ZSTD_CONTENTSIZE_ERROR, so the sentinel check
+       * catches it.  On 32-bit, SIZE_MAX is far smaller and the
+       * >= SIZE_MAX branch catches it first.  Either way: rejected
+       * on the read path.  On the iterate path it's also rejected
+       * (too big for uint32_t). */
+      { "SIZE_MAX (read-path guard)",     (unsigned long long)SIZE_MAX, -1, -1 },
+   };
+
+   for (i = 0; i < sizeof(cases)/sizeof(cases[0]); i++)
+   {
+      int got_iter = oracle_iterate_guard(cases[i].value);
+      int got_read = oracle_read_guard(cases[i].value);
+
+      if (got_iter != cases[i].want_iterate)
+      {
+         printf("[FAILED] iterate-guard(%s=%llu) got %d want %d\n",
+               cases[i].label,
+               (unsigned long long)cases[i].value,
+               got_iter, cases[i].want_iterate);
+         failures++;
+         continue;
+      }
+      if (got_read != cases[i].want_read)
+      {
+         printf("[FAILED] read-guard(%s=%llu) got %d want %d\n",
+               cases[i].label,
+               (unsigned long long)cases[i].value,
+               got_read, cases[i].want_read);
+         failures++;
+         continue;
+      }
+      printf("[SUCCESS] %-40s iter=%s read=%s\n",
+            cases[i].label,
+            got_iter == 0 ? "accept" : "reject",
+            got_read == 0 ? "accept" : "reject");
+   }
+
+   if (failures)
+   {
+      printf("\n%d test(s) failed\n", failures);
+      return 1;
+   }
+   printf("\nAll zstd content_size regression tests passed.\n");
+   return 0;
+}

libretro-common/samples/net/Makefile

@@ -31,8 +31,18 @@ HTTP_TEST_C = \
 				  $(LIBRETRO_COMM_DIR)/net/net_compat.c \
 				  $(LIBRETRO_COMM_DIR)/net/net_socket.c \
 				  $(LIBRETRO_COMM_DIR)/compat/compat_strl.c \
+				  $(LIBRETRO_COMM_DIR)/compat/compat_strcasestr.c \
+				  $(LIBRETRO_COMM_DIR)/compat/compat_posix_string.c \
 				  $(LIBRETRO_COMM_DIR)/encodings/encoding_utf.c \
+				  $(LIBRETRO_COMM_DIR)/features/features_cpu.c \
+				  $(LIBRETRO_COMM_DIR)/file/file_path.c \
+				  $(LIBRETRO_COMM_DIR)/file/file_path_io.c \
+				  $(LIBRETRO_COMM_DIR)/lists/string_list.c \
+				  $(LIBRETRO_COMM_DIR)/streams/file_stream.c \
 				  $(LIBRETRO_COMM_DIR)/string/stdstring.c \
+				  $(LIBRETRO_COMM_DIR)/time/rtime.c \
+				  $(LIBRETRO_COMM_DIR)/vfs/vfs_implementation.c \
+				  $(LIBRETRO_COMM_DIR)/compat/fopen_utf8.c \
 				  net_http_test.c
 
 HTTP_TEST_OBJS := $(HTTP_TEST_C:.c=.o)
@@ -44,14 +54,25 @@ HTTP_PARSE_TEST_C = \
 				  $(LIBRETRO_COMM_DIR)/net/net_socket.c \
 				  $(LIBRETRO_COMM_DIR)/compat/compat_strl.c \
 				  $(LIBRETRO_COMM_DIR)/compat/compat_strcasestr.c \
+				  $(LIBRETRO_COMM_DIR)/compat/compat_posix_string.c \
 				  $(LIBRETRO_COMM_DIR)/encodings/encoding_utf.c \
+				  $(LIBRETRO_COMM_DIR)/features/features_cpu.c \
+				  $(LIBRETRO_COMM_DIR)/file/file_path.c \
+				  $(LIBRETRO_COMM_DIR)/file/file_path_io.c \
+				  $(LIBRETRO_COMM_DIR)/lists/string_list.c \
+				  $(LIBRETRO_COMM_DIR)/streams/file_stream.c \
 				  $(LIBRETRO_COMM_DIR)/string/stdstring.c \
+				  $(LIBRETRO_COMM_DIR)/time/rtime.c \
+				  $(LIBRETRO_COMM_DIR)/vfs/vfs_implementation.c \
+				  $(LIBRETRO_COMM_DIR)/compat/fopen_utf8.c \
 				  net_http_parse_test.c
 
 HTTP_PARSE_TEST_OBJS := $(HTTP_PARSE_TEST_C:.c=.o)
 
 NET_IFINFO_C = \
 					$(LIBRETRO_COMM_DIR)/net/net_ifinfo.c \
+					$(LIBRETRO_COMM_DIR)/net/net_compat.c \
+					$(LIBRETRO_COMM_DIR)/compat/compat_strl.c \
 					net_ifinfo_test.c
 
 ifeq ($(platform), win)

libretro-common/samples/streams/rzip/Makefile

@@ -1,4 +1,5 @@
 TARGET := rzip
+TARGET_TEST := rzip_chunk_size_test
 
 LIBRETRO_COMM_DIR := ../../..
 LIBRETRO_DEPS_DIR := ../../../../deps
@@ -21,8 +22,7 @@ ifeq ($(UNAME), MSYS)
 	TARGET := rzip.exe
 endif
 
-SOURCES := \
-	rzip.c \
+COMMON_SOURCES := \
 	$(LIBRETRO_COMM_DIR)/compat/fopen_utf8.c \
 	$(LIBRETRO_COMM_DIR)/compat/compat_strl.c \
 	$(LIBRETRO_COMM_DIR)/compat/compat_strcasestr.c \
@@ -47,7 +47,7 @@ ifneq ($(wildcard $(LIBRETRO_DEPS_DIR)/*),)
 	# If we are building from inside the RetroArch
 	# directory (i.e. if an 'external' deps directory
 	# is available), bake in zlib support
-	SOURCES += \
+	COMMON_SOURCES += \
 		$(LIBRETRO_DEPS_DIR)/libz/adler32.c \
 		$(LIBRETRO_DEPS_DIR)/libz/libz-crc32.c \
 		$(LIBRETRO_DEPS_DIR)/libz/deflate.c \
@@ -68,7 +68,12 @@ else
 	LDFLAGS += -lz
 endif
 
-OBJS := $(SOURCES:.c=.o)
+SOURCES      := rzip.c $(COMMON_SOURCES)
+SOURCES_TEST := rzip_chunk_size_test.c $(COMMON_SOURCES)
+
+OBJS      := $(SOURCES:.c=.o)
+OBJS_TEST := $(SOURCES_TEST:.c=.o)
+
 INCLUDE_DIRS += -I$(LIBRETRO_COMM_DIR)/include
 CFLAGS += -DHAVE_ZLIB -Wall -pedantic -std=gnu99 $(INCLUDE_DIRS)
 
@@ -87,15 +92,18 @@ else
 	CFLAGS += -O2 -DNDEBUG
 endif
 
-all: $(TARGET)
+all: $(TARGET) $(TARGET_TEST)
 
 %.o: %.c
 	$(CC) -c -o $@ $< $(CFLAGS)
 
 $(TARGET): $(OBJS)
 	$(CC) -o $@ $^ $(LDFLAGS)
 
+$(TARGET_TEST): $(OBJS_TEST)
+	$(CC) -o $@ $^ $(LDFLAGS)
+
 clean:
-	rm -f $(TARGET) $(OBJS)
+	rm -f $(TARGET) $(TARGET_TEST) $(OBJS) $(OBJS_TEST)
 
 .PHONY: clean