cheevos: NULL-check retry-achievement info malloc + release task on OOM

LibretroAdmin · LibretroAdmin · commit fe8f7cbf2bde · 2026-04-23T21:30:47.000+02:00
rcheevos_award_achievement's 'badge not ready yet, retry later' path
allocated a task + a retry-info struct with no guard:

    task = task_init();
    if (!task)
       rcheevos_show_achievement_popup(cheevo, rarity);
    else
    {
       struct rcheevos_retry_achievement_info_t* info;
       info = (struct rcheevos_retry_achievement_info_t*)malloc(sizeof(*info));
       info-&gt;achievement_id = cheevo-&gt;id;   /* NULL-deref on OOM */
       info-&gt;rarity = rarity;
       ...
       task-&gt;user_data = info;
       task_queue_push(task);
    }

Two ways this breaks on OOM:

  1. Immediate segfault: info-&gt;achievement_id is dereferenced on the
     very next line after malloc.

  2. Dormant segfault via the task handler: if something somehow
     survived the immediate dereference (it won't - but as a
     reasoning exercise) and we pushed a task with user_data=NULL,
     rcheevos_retry_achievement_popup (line 347) would do
     'info-&gt;achievement_id' when the task fires.

Also leaks the just-allocated retro_task_t on the info-malloc
failure path, since task_queue_push never runs to take ownership.

Fix: NULL-check info.  On OOM, free the task (task_init is a plain
malloc, free is the correct release for an un-pushed task) and
fall back to rcheevos_show_achievement_popup immediately - the
same behaviour as the existing '!task' branch.  That's the
graceful-degradation path: the popup just shows the placeholder
badge instead of waiting for the real one.

Thread-safety: unchanged.  rcheevos_award_achievement runs on the
main thread from the rcheevos callback; info is owned by the task
until the handler releases it.
diff --git a/cheevos/cheevos.c b/cheevos/cheevos.c
@@ -406,16 +406,29 @@ static void rcheevos_award_achievement(const rc_client_achievement_t* cheevo)
             else
             {
                struct rcheevos_retry_achievement_info_t* info;
-               info = (struct rcheevos_retry_achievement_info_t*)malloc(sizeof(*info));
-               info->achievement_id = cheevo->id;
-               info->rarity = rarity;
-
-               task->handler = rcheevos_retry_achievement_popup;
-               task->user_data = info;
-               task->progress = 1;
-               task->when = cpu_features_get_time_usec() + 100000; /* first retry in 100ms */
-
-               task_queue_push(task);
+               /* NULL-check before dereferencing.  The previous code
+                * wrote info->achievement_id / info->rarity on the
+                * next two lines regardless, which would segfault on
+                * OOM.  Falling back to the immediate popup path
+                * matches the '!task' branch above, and we have to
+                * release the task we just allocated or we leak it. */
+               if (!(info = (struct rcheevos_retry_achievement_info_t*)malloc(sizeof(*info))))
+               {
+                  free(task);
+                  rcheevos_show_achievement_popup(cheevo, rarity);
+               }
+               else
+               {
+                  info->achievement_id = cheevo->id;
+                  info->rarity = rarity;
+
+                  task->handler = rcheevos_retry_achievement_popup;
+                  task->user_data = info;
+                  task->progress = 1;
+                  task->when = cpu_features_get_time_usec() + 100000; /* first retry in 100ms */
+
+                  task_queue_push(task);
+               }
             }
          }
       }
