Four independent defensive fixes, all bundled into a single combined

commit on top of master `b2d4002`.  No CI workflow changes required.

```
round4_delivery/
├── round4-combined.patch           single unified patch, ~566 lines
├── commit_message.msg              just the commit message body
├── README.md                       this file
└── libretro-common-samples/
    └── file/
        ├── config_file/config_file_test.c   extended sample
        └── nbio/nbio_test.c                 extended + cleaned-up sample
```

To apply:

```
cd RetroArch
git apply round4-combined.patch
git add -A
git commit -F round4_delivery/commit_message.msg
```

Or in one step with `git am`:

```
git am round4-combined.patch
```

Full technical detail lives in the patch's commit message; the
summary here is for quick reference.

| # | File | What |
|---|---|---|
| 11 | `file/config_file.c` | NULL dangling pointer fields in `config_file_deinitialize` |
| 12 | `file/config_file.c` | Check strdup return at three call sites |
| 13 | `file/config_file.c` | `isgraph((int)char)` UB → cast to `unsigned char` |
| 14 | `file/nbio/nbio_stdio.c` | `nbio_stdio_resize` realloc-before-commit |

All four are "latent landmine" tier — correct today only because of
indirect invariants or benign libc behaviour, not because of active
exploitable corruption.  Exception: patch 11 has a reachable UAF
under a specific public-API usage pattern (demonstrated via ASan
during test development).

If triaging: 11 > 12 > 14 > 13.

| Test | Kind | What it shows |
|---|---|---|
| `test_config_file_deinitialize_clears_fields` | **True regression discriminator** | Fails on unpatched source: `[FAILED] deinit left entries as dangling 0x...`; passes on patched |
| `test_config_file_high_bit_bytes_smoke` | Smoke test | glibc doesn't fire on the pre-patch code so this passes on both sides on a typical Linux host. Value: would trip under UBSan ctype instrumentation pre-patch, and crashes on stricter libcs pre-patch. Documented in the test comment. |
| `nbio_resize_smoke_test` | Smoke test | Forcing realloc to fail from user code would need an allocator hook, which breaks the self-contained-sample convention. Exercises the resize grow path normally; ASan catches buffer/length disagreement. |

Honest note on test coverage: patch 12 (the strdup chain) has no
targeted regression test.  The failure modes are all OOM-triggered,
and exercising them would require either an allocator hook or
deliberately exhausting memory — both out of scope for the
self-contained sample convention.  The existing config_file_test
cases implicitly exercise the non-OOM code paths, so a refactor
that breaks the happy path would still be caught.

While I was extending `nbio_test.c` I fixed two pre-existing issues
that would have bit the CI workflow:

  * Return 0 regardless of `[ERROR]` output → now returns 1 if any
    `[ERROR]` was printed.  This makes the test a real pass/fail
    signal for CI rather than just a build smoke.
  * Left `test.bin` in CWD after running → now cleans up.
    Also adds cleanup of the new `resize_test.bin` used by the
    resize smoke test.

For each patch:

1. **Patch first, then test.**  Applied each patch to the tree,
   confirmed clean compile with `-Wall -Werror`, and confirmed the
   existing sample tests still pass.
2. **Test against patched source.**  Ran the new tests expecting
   they pass.
3. **Revert the source, keep the tests.**  Ran the tests again.
   For patch 11 this fired the documented `[FAILED]` message; for
   13 and 14 the smoke tests passed on both sides (documented as
   smoke tests, not discriminators).

The patch 11 UAF was not just hypothetical — during test
development I reproduced a concrete heap-use-after-free (ASan
trace via `config_file_add_reference` after `config_file_deinitialize`
on the same struct).

- **14 patches** merged (across rounds 1-3) + **4 patches** this round = **18 total**
- **7 regression test files** + extensions this round
- **1 CI workflow** (added round 3 work)
- Every round verified by discrimination-test methodology where
  feasible; smoke-test-labelled where not

Author: LibretroAdmin

libretro-common/file/config_file.c

@@ -246,7 +246,7 @@ static char *config_file_extract_value(char *line)
       size_t idx  = 0;
       char *value = NULL;
       /* Find next space character */
-      while (line[idx] && isgraph((int)line[idx]))
+      while (line[idx] && isgraph((unsigned char)line[idx]))
          idx++;
 
       line[idx] = '\0';
@@ -380,7 +380,11 @@ static void config_file_add_sub_conf(config_file_t *conf, char *path,
    {
       node->next        = NULL;
       /* Add include list */
-      node->path        = strdup(path);
+      if (!(node->path = strdup(path)))
+      {
+         free(node);
+         goto realpath;
+      }
 
       if (head)
       {
@@ -393,6 +397,7 @@ static void config_file_add_sub_conf(config_file_t *conf, char *path,
          conf->includes = node;
    }
 
+realpath:
    config_file_get_realpath(s, len, path,
          conf->path);
 }
@@ -569,7 +574,7 @@ static bool config_file_parse_line(config_file_t *conf,
     * then copy once - avoids malloc+realloc growth pattern */
    {
       const char *key_start = line;
-      while (isgraph((int)*line))
+      while (isgraph((unsigned char)*line))
          line++;
       idx = (size_t)(line - key_start);
       if (idx == 0)
@@ -705,6 +710,23 @@ bool config_file_deinitialize(config_file_t *conf)
 
    RHMAP_FREE(conf->entries_map);
 
+   /* NULL out all pointer fields so that a caller who reuses the
+    * struct after deinitialize() -- or who accidentally calls
+    * deinitialize() twice -- does not chase dangling pointers.  The
+    * free() calls above leave every listed field pointing at freed
+    * memory; without these NULLs any subsequent config_* call on
+    * this struct is undefined behaviour.  config_file_free() frees
+    * the struct itself immediately after this, so for that path the
+    * NULLs are redundant but harmless; config_file_deinitialize()
+    * is a public API callable on its own. */
+   conf->entries     = NULL;
+   conf->tail        = NULL;
+   conf->last        = NULL;
+   conf->includes    = NULL;
+   conf->references  = NULL;
+   conf->path        = NULL;
+   /* entries_map is cleared by RHMAP_FREE */
+
    return true;
 }
 
@@ -1116,11 +1138,19 @@ bool config_get_char(config_file_t *conf, const char *key, char *in)
 bool config_get_string(config_file_t *conf, const char *key, char **str)
 {
    const struct config_entry_list *entry = config_get_entry(conf, key);
+   char *dup;
 
    if (!entry || !entry->value)
       return false;
 
-   *str = strdup(entry->value);
+   /* strdup can fail; pre-patch the function claimed success with
+    * *str possibly left as NULL or uninitialised garbage.  Callers
+    * that don't defensively zero *str ahead of the call end up
+    * dereferencing a stale pointer. */
+   if (!(dup = strdup(entry->value)))
+      return false;
+
+   *str = dup;
    return true;
 }
 
@@ -1239,9 +1269,20 @@ void config_set_string(config_file_t *conf, const char *key, const char *val)
    if (!(entry = (struct config_entry_list*)malloc(sizeof(*entry))))
       return;
    entry->readonly  = false;
+   entry->next      = NULL;
    entry->key       = strdup(key);
    entry->value     = strdup(val);
-   entry->next      = NULL;
+   /* If either strdup failed, don't insert a half-initialised entry
+    * into the list or hash map -- RHMAP_SET_STR with a NULL key
+    * is undefined, and subsequent config_get_string/config_set_*
+    * calls on this key would chase a NULL key. */
+   if (!entry->key || !entry->value)
+   {
+      free(entry->key);
+      free(entry->value);
+      free(entry);
+      return;
+   }
    conf->flags     |= CONF_FILE_FLG_MODIFIED;
    if (last)
       last->next    = entry;

libretro-common/file/nbio/nbio_stdio.c

@@ -252,14 +252,19 @@ static void nbio_stdio_resize(void *data, size_t len)
    if (len < handle->len)
       abort();
 
+   /* Attempt the realloc BEFORE committing the new length.  If it
+    * fails, the old pointer and its old size are still valid; the
+    * caller can retry or abandon.  Pre-patch we wrote handle->len
+    * = len first, then on realloc failure the handle claimed it
+    * owned a larger buffer than it actually did -- subsequent
+    * fread/fwrite iterate up to handle->len and walk off the end. */
+   if (!(new_data = realloc(handle->data, len)))
+      return;
+
+   handle->data     = new_data;
    handle->len      = len;
    handle->progress = len;
    handle->op       = -1;
-
-   new_data         = realloc(handle->data, handle->len);
-
-   if (new_data)
-      handle->data  = new_data;
 }
 
 static void *nbio_stdio_get_ptr(void *data, size_t* len)

libretro-common/samples/file/config_file/config_file_test.c

@@ -227,6 +227,152 @@ static void test_config_get_int_accepts(const char *raw_val, int want_int)
    config_file_free(cfg);
 }
 
+/* Regression for commit <round4-TBD> (config_file_deinitialize
+ * leaves dangling pointers).
+ *
+ * config_file_deinitialize() is a public API.  Pre-patch it freed
+ * entries, includes, references, path and the hash map but left the
+ * struct\'s pointer fields pointing at the just-freed memory.  Any
+ * subsequent call on that struct -- whether accidental double-
+ * deinit, reuse, or another access via the public API -- chased
+ * dangling pointers.  Post-patch all fields are NULLed.
+ *
+ * This test loads a config, deinitializes it without freeing the
+ * struct, then verifies that the struct\'s internal pointers are
+ * all NULL.  On unpatched code several of these would be stale
+ * non-NULL pointers to freed memory.
+ *
+ * Note: this inspects the config_file_t fields directly (white-box
+ * test).  The public header exposes the struct definition so this
+ * is legal, though a little unusual; there is no public getter for
+ * "is this struct still live".  The alternative -- provoking a
+ * real UAF via a second API call -- would fire ASan on unpatched
+ * but also crash on patched for unrelated reasons (add_reference
+ * dereferences conf->path unconditionally).  This direct field
+ * inspection is the cleanest way to assert the patch\'s invariant.
+ */
+static void test_config_file_deinitialize_clears_fields(void)
+{
+   config_file_t *cfg;
+   const char    *tmp_path = "rarch_cfg_deinit_test.cfg";
+   FILE          *fp       = fopen(tmp_path, "wb");
+
+   if (!fp)
+      abort();
+   fputs("foo = \"bar\"\nbaz = \"qux\"\n", fp);
+   fclose(fp);
+
+   cfg = config_file_new(tmp_path);
+   remove(tmp_path);
+   if (!cfg)
+      abort();
+
+   /* Add a reference so conf->references is non-NULL before deinit. */
+   config_file_add_reference(cfg, "some_ref");
+
+   /* Deinitialize without freeing the struct. */
+   config_file_deinitialize(cfg);
+
+   /* Every pointer field must now be NULL.  Pre-patch these would
+    * be stale pointers to freed memory. */
+   if (cfg->entries != NULL)
+   {
+      printf("[FAILED] deinit left entries as dangling %p\n", (void*)cfg->entries);
+      free(cfg);
+      abort();
+   }
+   if (cfg->includes != NULL)
+   {
+      printf("[FAILED] deinit left includes as dangling %p\n", (void*)cfg->includes);
+      free(cfg);
+      abort();
+   }
+   if (cfg->references != NULL)
+   {
+      printf("[FAILED] deinit left references as dangling %p\n", (void*)cfg->references);
+      free(cfg);
+      abort();
+   }
+   if (cfg->path != NULL)
+   {
+      printf("[FAILED] deinit left path as dangling %p\n", (void*)cfg->path);
+      free(cfg);
+      abort();
+   }
+   /* entries_map is cleared by RHMAP_FREE on all versions so we do
+    * not check it here. */
+
+   printf("[SUCCESS] config_file_deinitialize cleared all dangling pointer fields\n");
+   free(cfg);
+}
+
+/* Smoke test for commit <round4-TBD> (isgraph((int)char) UB on
+ * signed-char platforms).
+ *
+ * In the config parser, isgraph() is called on each byte of the
+ * key / unquoted value to find the token end.  Pre-patch the cast
+ * was (int), so bytes >= 0x80 became negative ints on signed-char
+ * platforms.  The C standard says ctype functions must be called
+ * with EOF or an unsigned-char value; anything else is undefined
+ * behaviour.  glibc and musl happen to handle negative arguments
+ * gracefully, but stricter libcs (Solaris, some embedded toolchains)
+ * trip an assert or array-bounds fault.  Post-patch the cast is
+ * (unsigned char).
+ *
+ * This is explicitly a smoke test: glibc and musl do not fire on
+ * the pre-patch code either, so this test passes on both patched
+ * and unpatched sources when run on a typical Linux host.  Its
+ * value is two-fold:
+ *   - Under UBSan with ctype function-arg instrumentation, the
+ *     pre-patch code would trip (currently not wired into this
+ *     test suite).
+ *   - On a stricter libc, the pre-patch code would crash; this
+ *     test therefore documents the expected contract and catches
+ *     any future regression on such a platform.
+ *
+ * The test feeds a config value containing bytes in the 0x80-0xFF
+ * range and verifies the parser does not crash.  Per the isgraph
+ * contract these bytes are non-graph in the C locale, so the parser
+ * will reject the key -- which is the CORRECT behaviour.  The test
+ * passes if the parser completes cleanly rather than crashing.
+ */
+static void test_config_file_high_bit_bytes_smoke(void)
+{
+   /* Config with a high-bit byte (0xC3 0xA9 is UTF-8 "e-acute") in
+    * both the key and the value.  The parser\'s isgraph() check
+    * terminates the key at the first non-graph byte, so this line
+    * is rejected as a syntactic error -- that is fine; what we care
+    * about is that the ctype call did not trip UB on the 0xC3 byte. */
+   const char    *cfgtext  = "caf\xc3\xa9 = \"valu\xc3\xa9\"\n"
+                             "plain = \"ok\"\n";
+   char          *copy     = strdup(cfgtext);
+   config_file_t *cfg      = config_file_new_from_string(copy, NULL);
+   char          *out      = NULL;
+   free(copy);
+
+   if (!cfg)
+   {
+      printf("[FAILED] parser refused to load config containing high-bit bytes\n");
+      abort();
+   }
+
+   /* Sanity: the plain key on the following line should still parse.
+    * This confirms the parser recovered from the rejected key and
+    * kept going rather than bailing on the whole file. */
+   if (!config_get_string(cfg, "plain", &out) || !out || strcmp(out, "ok") != 0)
+   {
+      printf("[FAILED] high-bit byte line disrupted subsequent parsing: plain=%s\n",
+            out ? out : "(null)");
+      free(out);
+      config_file_free(cfg);
+      abort();
+   }
+
+   free(out);
+   config_file_free(cfg);
+   printf("[SUCCESS] high-bit byte in config parsed without crash\n");
+}
+
 int main(void)
 {
    test_config_file_parse_contains("foo = \"bar\"\n",   "foo", "bar");
@@ -267,4 +413,7 @@ int main(void)
    test_config_get_int_accepts("-17",   -17);
    test_config_get_int_accepts("0x10",   16);  /* hex via base-0 detection */
    test_config_get_int_accepts("010",     8);  /* octal  via base-0 detection */
+
+   test_config_file_deinitialize_clears_fields();
+   test_config_file_high_bit_bytes_smoke();
 }