gfx/video_shader_parse: clamp replace_text length and prefix+_len in wildcard replacement

LibretroAdmin · LibretroAdmin · commit bac68947b04b · 2026-04-28T02:48:49.000+02:00
video_shader_replace_wildcards_impl built each replacement
value into a 256-byte stack buffer:

  char replace_text[256];
  _len = strlcpy(replace_text, source, sizeof(replace_text));

then unbounded:

  memcpy(dst + prefix, replace_text, _len);
  strlcpy(dst + prefix + _len, found + token_len,
          PATH_MAX_LENGTH - prefix - _len);

Two related primitives were exposed:

 1. strlcpy returns strlen(source) regardless of destination
    capacity.  When source resolved to a $CONTENT-DIR$ /
    $PRESET-DIR$ / $CORE$ / $GAME$ value longer than 256
    bytes (DIR_MAX_LENGTH is 4096, library_name and
    path_basename are platform-dependent and routinely
    exceed 256), _len was strlen(source).  The memcpy then
    read past the end of the 256-byte replace_text array
    into adjacent stack memory.

 2. The same _len fed (size_t)(PATH_MAX_LENGTH - prefix -
    _len) on the next line.  When prefix + _len exceeded
    PATH_MAX_LENGTH the subtraction underflowed size_t to a
    huge value and the strlcpy walked off the end of dst.
    Even with the _len clamp from (1), a wildcard token
    placed near the end of the input path (legitimate for
    an attacker-supplied .slangp/.glslp) lets prefix +
    REPLACE_BUF_SZ exceed PATH_MAX_LENGTH on its own.

The snprintf-chained branches (CORE_REQUESTED_ROTATION,
VIDEO_USER_ROTATION, VIDEO_FINAL_ROTATION,
SCREEN_ORIENTATION) had a sibling problem: snprintf returns
the would-have-written length, so _len += snprintf(...) on
a saturated buffer pushes _len past sizeof(replace_text)
even when the destination ate the entire size budget.

Reachable via shader presets the user opens.  These come
from the online updater (typically slang-shaders or
common-shaders), the user's own preset directory, and from
content-bundled presets distributed alongside ROMs.

Fix: clamp at the use site so all the upstream branches are
covered in one place.

  if (_len &gt;= sizeof(replace_text))
     _len = sizeof(replace_text) - 1;
  if (prefix &gt;= PATH_MAX_LENGTH || _len &gt;= PATH_MAX_LENGTH - prefix)
     break;

Adds samples/tasks/video_shader_parse/video_shader_wildcard_test
as a regression test, registered in
.github/workflows/Linux-samples-tasks.yml as an ASan-enabled
step.  Four cases:

  - short replacement produces correct output
  - long source (600 chars) clamped without OOB read
  - huge source (4000 chars) clamped without strlcpy underflow
  - prefix near PATH_MAX_LENGTH correctly bails out

Test follows the existing samples/tasks pattern (verbatim
copy of the post-fix arithmetic block, ASan as the
discriminator) used by archive_name_safety_test and
http_method_match_test.  Verified to fire under ASan when
the clamps are removed: stack-buffer-overflow READ of size
600 at offset 288 in replace_text (a 256-byte buffer).
With the clamps the test passes clean.

Note on test scope: the test exercises a verbatim copy of
the post-replacement arithmetic block from
video_shader_parse.c lines 344-358, not the full
video_shader_replace_wildcards_impl.  The full function
depends on settings_t / runloop_state / video driver
globals that aren't tractable to stub for a unit test --
following the convention used by archive_name_safety_test
("if task_decompress.c amends the predicate, the copy here
must follow"), the test's verbatim block must track the
production block.  A comment in the test points at the
production lines explicitly.
diff --git a/.github/workflows/Linux-samples-tasks.yml b/.github/workflows/Linux-samples-tasks.yml
@@ -100,3 +100,29 @@ jobs:
           test -x http_method_match_test
           timeout 60 ./http_method_match_test
           echo "[pass] http_method_match_test"
+
+      - name: Build and run video_shader_wildcard_test (ASan)
+        shell: bash
+        working-directory: samples/tasks/video_shader_parse
+        run: |
+          set -eu
+          # Regression test for the buffer-overflow defences in
+          # gfx/video_shader_parse.c::video_shader_replace_wildcards_impl().
+          # Pre-fix, _len = strlcpy(replace_text, source, 256)
+          # returned strlen(source) regardless of the 256-byte
+          # cap.  When source was a $CONTENT-DIR$ / $PRESET-DIR$
+          # / $CORE$ value longer than 256 bytes (DIR_MAX_LENGTH
+          # is 4096, NAME_MAX_LENGTH 256), the subsequent
+          # memcpy(dst + prefix, replace_text, _len) read off
+          # the end of replace_text and the strlcpy's size
+          # argument PATH_MAX_LENGTH - prefix - _len underflowed
+          # size_t.  Build under AddressSanitizer so the OOB
+          # read on replace_text and the underflow-driven OOB
+          # write on dst are both caught at the bounds level.
+          # If video_shader_parse.c amends the post-replacement
+          # arithmetic, the verbatim copy in
+          # video_shader_wildcard_test.c must follow.
+          make clean all SANITIZER=address
+          test -x video_shader_wildcard_test
+          timeout 60 ./video_shader_wildcard_test
+          echo "[pass] video_shader_wildcard_test"
diff --git a/gfx/video_shader_parse.c b/gfx/video_shader_parse.c
@@ -345,6 +345,29 @@ static void video_shader_replace_wildcards_impl(
          {
             char *tmp_ptr;
             size_t prefix = (size_t)(found - src);
+
+            /* _len comes from strlcpy / snprintf return values.
+             * strlcpy returns strlen(source) regardless of the
+             * destination capacity, and snprintf returns the
+             * "would-have-written" length, so on long sources
+             * (content_dir_name, library_name, path_basename,
+             * preset_dir_name, all of which can be up to
+             * DIR_MAX_LENGTH = 4096) _len exceeds
+             * sizeof(replace_text) = 256.  The memcpy below
+             * would then read past the end of replace_text into
+             * adjacent stack memory; the strlcpy further down
+             * would underflow (size_t)(PATH_MAX_LENGTH - prefix
+             * - _len) and write tens of GiB.  Clamp here at the
+             * use site so every preceding branch is covered. */
+            if (_len >= sizeof(replace_text))
+               _len = sizeof(replace_text) - 1;
+
+            /* Also bound prefix + _len against the dst buffer
+             * size so the strlcpy below doesn't underflow its
+             * size argument and walk off the end of dst. */
+            if (prefix >= PATH_MAX_LENGTH || _len >= PATH_MAX_LENGTH - prefix)
+               break;
+
             memcpy(dst, src, prefix);
             memcpy(dst + prefix, replace_text, _len);
             strlcpy(dst + prefix + _len, found + token_len,
diff --git a/samples/tasks/video_shader_parse/Makefile b/samples/tasks/video_shader_parse/Makefile
@@ -0,0 +1,25 @@
+TARGET := video_shader_wildcard_test
+
+SOURCES := video_shader_wildcard_test.c
+
+OBJS := $(SOURCES:.c=.o)
+
+CFLAGS += -Wall -pedantic -std=gnu99 -g -O0
+
+ifneq ($(SANITIZER),)
+   CFLAGS  := -fsanitize=$(SANITIZER) -fno-omit-frame-pointer $(CFLAGS)
+   LDFLAGS := -fsanitize=$(SANITIZER) $(LDFLAGS)
+endif
+
+all: $(TARGET)
+
+%.o: %.c
+	$(CC) -c -o $@ $< $(CFLAGS)
+
+$(TARGET): $(OBJS)
+	$(CC) -o $@ $^ $(LDFLAGS)
+
+clean:
+	rm -f $(TARGET) $(OBJS)
+
+.PHONY: clean
diff --git a/samples/tasks/video_shader_parse/video_shader_wildcard_test.c b/samples/tasks/video_shader_parse/video_shader_wildcard_test.c
