frontend/unix: NULL-check every alloc in inotify path watcher setup

LibretroAdmin · LibretroAdmin · commit ed41ed5700f0 · 2026-04-23T21:03:22.000+02:00
frontend_unix_watch_path_for_changes (the HAS_INOTIFY setup branch)
called four allocators back-to-back with no NULL checks:

    inotify_data            = (inotify_data_t*)calloc(1, sizeof(*inotify_data));
    inotify_data-&gt;fd        = fd;
    inotify_data-&gt;wd_list   = int_vector_list_new();
    inotify_data-&gt;path_list = string_list_new();
    ...
    *change_data = (path_change_data_t*)calloc(1, sizeof(path_change_data_t));
    (*change_data)-&gt;data = inotify_data;

Two concrete failure modes:

  1. NULL-deref: if calloc(1, sizeof(inotify_data_t)) returned NULL,
     the 'inotify_data-&gt;fd = fd' on the very next line segfaulted.
     Same problem with the trailing '(*change_data)-&gt;data = ...'
     if the second calloc failed.

  2. Silent partial-success leaks: if inotify_data's calloc succeeded
     but int_vector_list_new or string_list_new returned NULL, the
     subsequent for-loop still called int_vector_list_append and
     string_list_append on a NULL list; the latter dereferences
     list-&gt;size (libretro-common/lists/string_list.c:145) for a
     second NULL-deref.  If, conversely, all three list allocations
     succeeded but the second calloc (path_change_data_t) failed,
     the function returned with inotify_data + its two sub-lists +
     the already-established inotify_add_watch kernel watches all
     orphaned (inotify_data is not reachable from anywhere since
     *change_data is still NULL).

Fix: NULL-check each allocation in turn.  On any failure, unwind
what was built up - closing the inotify fd automatically releases
all its inotify_add_watch entries in the kernel (inotify(7):
'all associated watches are automatically freed' on fd close), so
no manual inotify_rm_watch loop is needed on the final failure
path.  Leave *change_data untouched on every failure path, which
is what callers already expect as 'no watcher is set up' (the
tear-down branch at the top of this same function uses
'change_data &amp;&amp; *change_data' as its presence check).

Reachability: this runs when the user enables playlist auto-scan,
history tracking, or one of the other 'watch this folder for
changes' features.  Not a hot path.  But the allocations here are
for small structs (tens of bytes each), so OOM on them indicates
genuine memory pressure where segfaulting rather than degrading
gracefully is the wrong outcome.

Thread-safety: unchanged.  Watcher setup/teardown runs on the
main thread; inotify_data and the change_data indirection belong
to the caller's state.
diff --git a/frontend/drivers/platform_unix.c b/frontend/drivers/platform_unix.c
@@ -2961,10 +2961,37 @@ static void frontend_unix_watch_path_for_changes(struct string_list *list,
       return;
    }
 
-   inotify_data            = (inotify_data_t*)calloc(1, sizeof(*inotify_data));
+   /* NULL-check every allocation step.  Previously this function
+    * called calloc + int_vector_list_new + string_list_new + the
+    * second calloc with no guards, then dereferenced each result
+    * immediately - an OOM on any of them segfaulted, and a partial
+    * success (e.g. inotify_data allocated but wd_list alloc failed)
+    * leaked the earlier allocations together with the already-
+    * established inotify_add_watch kernel watches.  On any failure
+    * below, unwind what we did manage to set up and return with
+    * *change_data left untouched (callers treat NULL *change_data
+    * as 'no watcher is set up'). */
+   if (!(inotify_data = (inotify_data_t*)calloc(1, sizeof(*inotify_data))))
+   {
+      close(fd);
+      return;
+   }
    inotify_data->fd        = fd;
-   inotify_data->wd_list   = int_vector_list_new();
-   inotify_data->path_list = string_list_new();
+
+   if (!(inotify_data->wd_list = int_vector_list_new()))
+   {
+      free(inotify_data);
+      close(fd);
+      return;
+   }
+
+   if (!(inotify_data->path_list = string_list_new()))
+   {
+      int_vector_list_free(inotify_data->wd_list);
+      free(inotify_data);
+      close(fd);
+      return;
+   }
 
    if (flags & PATH_CHANGE_TYPE_MODIFIED)
       inotify_mask |= IN_MODIFY;
@@ -2992,7 +3019,18 @@ static void frontend_unix_watch_path_for_changes(struct string_list *list,
       string_list_append(inotify_data->path_list, list->elems[i].data, attr);
    }
 
-   *change_data = (path_change_data_t*)calloc(1, sizeof(path_change_data_t));
+   if (!(*change_data = (path_change_data_t*)calloc(1, sizeof(path_change_data_t))))
+   {
+      /* Rip down everything we built up: the fd, the kernel watches
+       * it owns, both lists, and inotify_data itself.  Closing fd
+       * auto-removes all its inotify_add_watch entries, so we do not
+       * need to iterate wd_list and inotify_rm_watch by hand. */
+      string_list_free(inotify_data->path_list);
+      int_vector_list_free(inotify_data->wd_list);
+      close(inotify_data->fd);
+      free(inotify_data);
+      return;
+   }
    (*change_data)->data = inotify_data;
 #endif
 }
