overlay: fix OOM crash cascade across task_overlay producer and input_driver consumer

LibretroAdmin · LibretroAdmin · commit f07549bde442 · 2026-04-24T01:23:26.000+02:00
Four bugs forming one OOM cascade in the input-overlay load
pipeline.  Fixing any one of them in isolation just pushes the
crash one call-frame deeper; they have to land together.

=== tasks/task_overlay.c: task_overlay_desc_populate_eightway_config ===

    desc-&gt;eightway_config = (overlay_eightway_config_t *)
          calloc(1, sizeof(overlay_eightway_config_t));
    eightway              = desc-&gt;eightway_config;

    switch (desc-&gt;type)
    {
       case OVERLAY_TYPE_DPAD_AREA:
          BIT256_SET(eightway-&gt;up, ...);         /* NULL-deref */
          ...

Unchecked calloc; the BIT256_SET writes in the switch body
NULL-deref on OOM.  void-returning function so we can't signal
failure to the caller directly.

Fix: NULL-check and early return.  This leaves
desc-&gt;eightway_config = NULL for an area-type desc that needs
it, which then fires the consumer bug below.

=== input/input_driver.c: input_overlay_poll eightway dispatch ===

    case OVERLAY_TYPE_DPAD_AREA:
    case OVERLAY_TYPE_ABXY_AREA:
       input_overlay_get_eightway_state(
             desc, desc-&gt;eightway_config,
             &amp;out-&gt;buttons, x_dist, y_dist);
       break;

input_overlay_get_eightway_state dereferences eightway-&gt;
slope_high unconditionally (line ~2781).  With the producer fix
above leaving eightway_config NULL under OOM, this dispatch path
needs to gate on non-NULL:

    if (desc-&gt;eightway_config)
       input_overlay_get_eightway_state(...);

User-visible consequence on OOM: the one area whose config alloc
failed is dead until overlay reload.  Strictly better than a
segfault on the next touch input.

=== tasks/task_overlay.c: task_overlay_handler data alloc ===

    overlay_task_data_t *data = (overlay_task_data_t*)
       calloc(1, sizeof(*data));

    data-&gt;overlays                    = loader-&gt;overlays;  /* NULL-deref */
    ...

Unchecked calloc in the task's 'finished and not cancelled'
branch; the seven field writes below NULL-deref on OOM.

Fix: NULL-check and early return (skip the task_set_data call).
The consumer (input_overlay_loaded in input/input_driver.c) then
sees NULL task_data, which cascades to the next bug.

=== input/input_driver.c: input_overlay_loaded task_data and ol allocs ===

    overlay_task_data_t *data = (overlay_task_data_t*)task_data;
    ...
    if (err)
       return;

    ol              = (input_overlay_t*)calloc(1, sizeof(*ol));
    ol-&gt;overlays    = data-&gt;overlays;                     /* NULL-deref */
    ...

Two stacked bugs:
  1. task_data can be NULL (from the producer fix above) but is
     dereferenced as data-&gt;overlays on the very next usable line.
     Add an early return.
  2. The ol calloc is unchecked.  The field writes below NULL-deref
     on OOM.  Unlike typical OOM-bail patterns, bailing here has a
     non-trivial cleanup obligation: task_data was transferred to
     us by the retro_task framework and we own it, *and* the
     image_list inside it has heap texture_image attachments on
     each entry's .attr.p that the success path would transfer
     into ol-&gt;images via input_overlay_loaded_move_images.  Since
     ol doesn't exist, we need to free each texture explicitly
     before string_list_free (string_list_free only frees the
     list struct and its entries' .data strings, not the .attr.p
     attachments).

Fix both:

    if (!data)
       return;
    ol = (input_overlay_t*)calloc(1, sizeof(*ol));
    if (!ol)
    {
       if (data-&gt;image_list)
       {
          size_t i;
          for (i = 0; i &lt; data-&gt;image_list-&gt;size; i++)
             image_texture_free(
                (struct texture_image*)data-&gt;image_list-&gt;elems[i].attr.p);
          string_list_free(data-&gt;image_list);
       }
       free(data);
       return;
    }

=== Thread-safety ===

task_overlay_handler runs on the retro_task worker thread pool;
input_overlay_loaded runs on the main thread as the task's
completion callback.  The ownership transfer of task_data via
task_set_data is already correct (producer populates, consumer
frees), so no lock discipline changes.

=== Reachability ===

Overlay loading runs every time the user picks an overlay from
the menu, configures an auto-load overlay, or switches between
overlays (e.g. OSK toggle).  On handheld and embedded targets
with the memory pressure typical of running an emulator core +
overlay textures, OOM at any of these four sites is realistic.

=== Scope ===

Left image_transfer / texture loading paths in task_overlay.c
alone (the per-image malloc + image_texture_load calls all
NULL-check and goto their cleanup labels already).  The four
fixes here are the OOM sites that didn't have any guard.
diff --git a/input/input_driver.c b/input/input_driver.c
@@ -3032,9 +3032,16 @@ static bool input_overlay_poll(
             break;
          case OVERLAY_TYPE_DPAD_AREA:
          case OVERLAY_TYPE_ABXY_AREA:
-            input_overlay_get_eightway_state(
-                  desc, desc->eightway_config,
-                  &out->buttons, x_dist, y_dist);
+            /* Gate on eightway_config because task_overlay_desc_
+             * populate_eightway_config can legitimately fail its
+             * calloc under OOM and leave this field NULL for an
+             * area-type desc that requires it.  Without the
+             * gate input_overlay_get_eightway_state NULL-derefs
+             * on eightway->slope_high below. */
+            if (desc->eightway_config)
+               input_overlay_get_eightway_state(
+                     desc, desc->eightway_config,
+                     &out->buttons, x_dist, y_dist);
             break;
          case OVERLAY_TYPE_ANALOG_RIGHT:
             base = 2;
@@ -6220,7 +6227,36 @@ static void input_overlay_loaded(retro_task_t *task,
    if (err)
       return;
 
+   /* NULL-check task_data: the task producer (task_overlay_handler
+    * in tasks/task_overlay.c) can legitimately fail its data
+    * alloc under OOM and pass NULL here; data->overlays below
+    * would NULL-deref.  Nothing useful to do with a NULL payload
+    * so bail cleanly. */
+   if (!data)
+      return;
+
    ol              = (input_overlay_t*)calloc(1, sizeof(*ol));
+   /* NULL-check the ol calloc: the field writes below NULL-deref
+    * on OOM.  Task_data ownership transferred to us by the
+    * retro_task framework via task_set_data - we must tear it
+    * down cleanly.  image_list entries each have a heap
+    * texture_image* in elems[i].attr.p that move_images would
+    * normally transfer into ol->images; since ol doesn't exist,
+    * free each texture explicitly before string_list_free
+    * (string_list_free only frees the list struct and its
+    * entries' .data strings, not their .attr.p attachments). */
+   if (!ol)
+   {
+      if (data->image_list)
+      {
+         size_t i;
+         for (i = 0; i < data->image_list->size; i++)
+            image_texture_free((struct texture_image*)data->image_list->elems[i].attr.p);
+         string_list_free(data->image_list);
+      }
+      free(data);
+      return;
+   }
    ol->overlays    = data->overlays;
    ol->size        = data->size;
    ol->active      = data->active;
diff --git a/tasks/task_overlay.c b/tasks/task_overlay.c
@@ -231,6 +231,18 @@ static void task_overlay_desc_populate_eightway_config(
          calloc(1, sizeof(overlay_eightway_config_t));
    eightway              = desc->eightway_config;
 
+   /* NULL-check: the switch body below writes eightway->up etc.
+    * via BIT256_SET which would NULL-deref on OOM.  void-returning
+    * function, so we can't signal failure to the caller.  Leaving
+    * eightway_config = NULL on failure makes input_driver.c's
+    * OVERLAY_TYPE_DPAD_AREA / ABXY_AREA dispatch path take its
+    * 'if (desc->eightway_config)' gate and skip the area's input
+    * handling - strictly better than a crash.  The user-visible
+    * consequence is that this one eightway area is dead until
+    * the overlay is reloaded. */
+   if (!eightway)
+      return;
+
    /* Populate default vals for the eightway type.
     */
    switch (desc->type)
@@ -1111,6 +1123,16 @@ static void task_overlay_handler(retro_task_t *task)
       overlay_task_data_t *data = (overlay_task_data_t*)
          calloc(1, sizeof(*data));
 
+      /* NULL-check before the seven field writes below NULL-deref.
+       * On OOM skip the task_set_data call so the consumer
+       * (input/input_driver.c input_overlay_loaded) sees NULL
+       * task_data.  That consumer now also NULL-checks its
+       * task_data argument (fixed in the same commit) - without
+       * that second fix this branch still crashes at the
+       * consumer, just one call further down the stack. */
+      if (!data)
+         return;
+
       data->overlays                    = loader->overlays;
       data->active                      = loader->active;
       data->size                        = loader->size;
