Commit eebab97
committed
frontend/drivers: NULL-check allocations in android_app_create and FetchFS init
Two unchecked allocations in platform-frontend boot paths.
=== frontend/drivers/platform_unix.c: android_app_create ===
if (savedState)
{
android_app->savedState = malloc(savedStateSize);
android_app->savedStateSize = savedStateSize;
memcpy(android_app->savedState, savedState, savedStateSize);
}
malloc unchecked; memcpy NULL-derefs on OOM. This path runs
every time the Android activity is created with a non-NULL
saved-state blob - ANativeActivity re-creation happens on
screen rotation, backgrounding-then-resuming, and config
changes, all common on Android, all potentially during
memory pressure.
Fix: wrap the size-record and memcpy in an 'if (android_app->
savedState)' guard. On OOM skip the saved-state copy - the
consumer at onSaveInstanceState (line 319) already gates on
android_app->savedState being non-NULL before reading it, and
android_app itself is calloc'd at line 441 so the
savedState / savedStateSize fields are zero-initialised. The
worst-case user-visible behaviour of skipping is that the app
launches fresh instead of restoring - strictly preferable to
a segfault.
Failing the whole android_app_create call here isn't a
reasonable option because the app-glue thread is already in
flight and expects the struct.
=== frontend/drivers/platform_emscripten.c: FetchFS init ===
char *base_url = strdup(line);
base_url[strcspn(base_url, "\r\n")] = '\0'; /* drop newline */
base_url[__len-1] = '\0'; /* drop newline */
strdup unchecked; the two base_url[...] = '\0' writes NULL-deref
on OOM. FetchFS init is a boot-time web-build operation; every
other init failure in this function (missing FETCH_MANIFEST /
FETCH_BASE_DIR env vars at line 853, missing manifest file at
line 860, fetch backend construction failure at line 884) calls
abort(). Match that policy rather than silently leaking state.
Fix: NULL-check strdup, abort() with a '[FetchFS] out of memory'
message on failure.
=== Not a bug ===
Also looked at but found clean:
- audio/audio_driver.c:1456 and audio/drivers/{alsa,alsathread,
pipewire}.c use the 'if (!(x = alloc(...)))' idiom already.
- audio/drivers/ps3_audio.c:102 is NULL-checked.
- audio/drivers/sdl_audio.c:239,591 degrade gracefully on
calloc failure (the 'if (tmp)' gate around fifo_write makes
the pre-fill best-effort).
- frontend/drivers/platform_ps2.c's frontend_ps2_get_free_mem
is a memory-probe that depends on malloc-failing behaviour
by design.
- frontend/drivers/platform_wii.c:218 is NULL-checked with an
fclose+goto-exit unwind.
=== Thread-safety ===
android_app_create runs on the Android main thread during
activity construction. FetchFS init runs on the main thread
during process startup. Neither function crosses threads, so
no lock discipline changes.
=== Reachability ===
Android savedState malloc: every app re-creation with a
non-empty saved-state blob (screen rotation is the common
trigger).
Emscripten FetchFS init: every web build with FETCH_MANIFEST
set (the build-mode where the filesystem is fetched lazily
from a remote URL at runtime).1 parent 23da752 commit eebab97
2 files changed
Lines changed: 23 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
867 | 867 | | |
868 | 868 | | |
869 | 869 | | |
| 870 | + | |
| 871 | + | |
| 872 | + | |
| 873 | + | |
| 874 | + | |
| 875 | + | |
| 876 | + | |
| 877 | + | |
| 878 | + | |
| 879 | + | |
| 880 | + | |
870 | 881 | | |
871 | 882 | | |
872 | 883 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
453 | 453 | | |
454 | 454 | | |
455 | 455 | | |
456 | | - | |
457 | | - | |
| 456 | + | |
| 457 | + | |
| 458 | + | |
| 459 | + | |
| 460 | + | |
| 461 | + | |
| 462 | + | |
| 463 | + | |
| 464 | + | |
| 465 | + | |
| 466 | + | |
| 467 | + | |
458 | 468 | | |
459 | 469 | | |
460 | 470 | | |
| |||
0 commit comments