[pull] master from libretro:master

.github/workflows/Linux-libretro-common-samples.yml

@@ -69,6 +69,7 @@ jobs:
             cdrom_cuesheet_overflow_test
             cdfs_dir_record_test
             chd_meta_overflow_test
+            strlcpy_append_test
             http_parse_test
             rjson_test
             rtga_test

.github/workflows/Linux-samples-tasks.yml

@@ -171,3 +171,26 @@ jobs:
           test -x bsv_replay_bounds_test
           timeout 60 ./bsv_replay_bounds_test
           echo "[pass] bsv_replay_bounds_test"
+
+      - name: Build and run bps_patch_bounds_test (ASan)
+        shell: bash
+        working-directory: samples/tasks/bps_patch
+        run: |
+          set -eu
+          # Regression test for the .bps patch parser bounds in
+          # tasks/task_patch.c::bps_apply_patch.  Pre-fix a
+          # malicious .bps could write attacker-chosen bytes
+          # past the malloc'd target_data buffer (heap-buffer-
+          # overflow WRITE), read past source_data (info leak),
+          # and read past modify_data via TARGET_READ.  The
+          # size-prelude was also unbounded, allowing 32-bit
+          # truncation of modify_target_size to drive a
+          # smaller-than-expected allocation.  Build under
+          # AddressSanitizer so any reintroduction is caught
+          # at the bounds level.  If task_patch.c amends the
+          # action-loop predicates, the verbatim copy in
+          # bps_patch_bounds_test.c must follow.
+          make clean all SANITIZER=address
+          test -x bps_patch_bounds_test
+          timeout 60 ./bps_patch_bounds_test
+          echo "[pass] bps_patch_bounds_test"

command.c

@@ -1116,37 +1116,37 @@ bool command_get_status(command_t *cmd, const char* arg)
 
       core_info_get_current_core(&core_info);
 
-      _len = strlcpy(reply, "GET_STATUS ", sizeof(reply));
+      _len = 0;
+      strlcpy_append(reply, sizeof(reply), &_len, "GET_STATUS ");
 
       if (runloop_st->flags & RUNLOOP_FLAG_PAUSED)
-         _len += strlcpy(reply + _len, "PAUSED", sizeof(reply) - _len);
+         strlcpy_append(reply, sizeof(reply), &_len, "PAUSED");
       else
-         _len += strlcpy(reply + _len, "PLAYING", sizeof(reply) - _len);
+         strlcpy_append(reply, sizeof(reply), &_len, "PLAYING");
 
-      _len += strlcpy(reply + _len, " ", sizeof(reply) - _len);
+      strlcpy_append(reply, sizeof(reply), &_len, " ");
 
       if (core_info && core_info->system_id)
-         _len += strlcpy(reply + _len, core_info->system_id,
-               sizeof(reply) - _len);
+         strlcpy_append(reply, sizeof(reply), &_len, core_info->system_id);
       else if (runloop_st->system.info.library_name)
-         _len += strlcpy(reply + _len, runloop_st->system.info.library_name,
-               sizeof(reply) - _len);
+         strlcpy_append(reply, sizeof(reply), &_len,
+               runloop_st->system.info.library_name);
       else
-         _len += strlcpy(reply + _len, "UNKNOWN", sizeof(reply) - _len);
+         strlcpy_append(reply, sizeof(reply), &_len, "UNKNOWN");
 
-      _len += strlcpy(reply + _len, ",", sizeof(reply) - _len);
+      strlcpy_append(reply, sizeof(reply), &_len, ",");
 
       basename_path = path_get(RARCH_PATH_BASENAME);
       if (basename_path)
       {
          const char *basename = path_basename(basename_path);
          if (basename)
-            _len += strlcpy(reply + _len, basename, sizeof(reply) - _len);
+            strlcpy_append(reply, sizeof(reply), &_len, basename);
          else
-            _len += strlcpy(reply + _len, "UNKNOWN", sizeof(reply) - _len);
+            strlcpy_append(reply, sizeof(reply), &_len, "UNKNOWN");
       }
       else
-         _len += strlcpy(reply + _len, "UNKNOWN", sizeof(reply) - _len);
+         strlcpy_append(reply, sizeof(reply), &_len, "UNKNOWN");
 
       _len += snprintf(reply + _len, sizeof(reply) - _len,
             ",crc32=%lx\n", (unsigned long)content_get_crc());