(Menu) Segfault in core options

[orbea]

Description

RetroArch will segfault in the core options with any core when pressing enter, I tested nestopia, genesis plus gx and sameboy.

Expected behavior

RetroArch should not crash.

Actual behavior

Thread 1 "retroarch" received signal SIGSEGV, Segmentation fault.
0x000000000049b65e in core_option_manager_get_val (opt=0xb1be90, idx=4294967295)
    at managers/core_option_manager.c:331
331    return option->vals->elems[option->index].data;
(gdb) bt
#0  0x000000000049b65e in core_option_manager_get_val (opt=0xb1be90,
    idx=4294967295) at managers/core_option_manager.c:331
#1  0x0000000000643d5b in menu_displaylist_ctl (type=DISPLAYLIST_DROPDOWN_LIST,
    info=0x7fffffffdbe0) at menu/menu_displaylist.c:8153
#2  0x0000000000612de0 in deferred_push_dlist (info=0x7fffffffdbe0,
    state=DISPLAYLIST_DROPDOWN_LIST) at menu/cbs/menu_cbs_deferred_push.c:55
#3  0x00000000006148bf in general_push (info=0x7fffffffdbe0, id=2,
    state=DISPLAYLIST_DROPDOWN_LIST) at menu/cbs/menu_cbs_deferred_push.c:591
#4  0x0000000000614a90 in deferred_push_dropdown_box_list (info=0x7fffffffdbe0)
    at menu/cbs/menu_cbs_deferred_push.c:617
#5  0x0000000000637d8d in menu_displaylist_push (entry=0x7fffffffdc80)
    at menu/menu_displaylist.c:4083
#6  0x000000000060f1dd in action_refresh_default (list=0x13ad460,
    menu_list=0x13ad440) at menu/cbs/menu_cbs_refresh.c:34
#7  0x00000000005fdb2c in menu_entry_action (entry=0x7fffffffdd10, i=0,
    action=MENU_ACTION_OK) at menu/widgets/menu_entry.c:502
#8  0x0000000000648ace in generic_menu_iterate (menu=0x13a24f0,
    userdata=0x1377ff0, action=MENU_ACTION_OK) at menu/drivers/menu_generic.c:232
#9  0x00000000005d9ee4 in menu_driver_iterate (iterate=0x7fffffffded0)
    at menu/menu_driver.c:2011
#10 0x0000000000416ff7 in runloop_check_state (settings=0x7ffff4aa4010,
    input_nonblock_state=false, sleep_ms=0x7fffffffe0f0) at retroarch.c:2851
#11 0x0000000000418223 in runloop_iterate (sleep_ms=0x7fffffffe0f0)
    at retroarch.c:3553
#12 0x0000000000411247 in rarch_main (argc=1, argv=0x7fffffffe208, data=0x0)
    at frontend/frontend.c:141
#13 0x00000000004112a4 in main (argc=1, argv=0x7fffffffe208)
    at frontend/frontend.c:170

Full GDB log - https://pastebin.com/70LXaNxH

=================================================================
==10218==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160001dfa30 at pc 0x00000055ab3e bp 0x7fff716ebdc0 sp 0x7fff716ebdb8
READ of size 8 at 0x6160001dfa30 thread T0
    #0 0x55ab3d in core_option_manager_get_val managers/core_option_manager.c:331
    #1 0x88f484 in menu_displaylist_ctl menu/menu_displaylist.c:8153
    #2 0x82da03 in deferred_push_dlist menu/cbs/menu_cbs_deferred_push.c:55
    #3 0x8307de in general_push menu/cbs/menu_cbs_deferred_push.c:591
    #4 0x830adb in deferred_push_dropdown_box_list menu/cbs/menu_cbs_deferred_push.c:617
    #5 0x8748a8 in menu_displaylist_push menu/menu_displaylist.c:4083
    #6 0x8256c8 in action_refresh_default menu/cbs/menu_cbs_refresh.c:34
    #7 0x7ff103 in menu_entry_action menu/widgets/menu_entry.c:502
    #8 0x898fc1 in generic_menu_iterate menu/drivers/menu_generic.c:232
    #9 0x7b6eae in menu_driver_iterate menu/menu_driver.c:2011
    #10 0x422aa7 in runloop_check_state /home/orbea/gittings/forks/RetroArch/retroarch.c:2851
    #11 0x424e1f in runloop_iterate /home/orbea/gittings/forks/RetroArch/retroarch.c:3553
    #12 0x41812d in rarch_main frontend/frontend.c:141
    #13 0x418263 in main frontend/frontend.c:170
    #14 0x7fa9788cac66 in __libc_start_main (/lib64/libc.so.6+0x22c66)
    #15 0x40d889 in _start (/media/gittings/forks/RetroArch/retroarch+0x40d889)

0x6160001dfa30 is located 80 bytes to the left of 524-byte region [0x6160001dfa80,0x6160001dfc8c)
freed by thread T0 here:
    #0 0x7fa97aab8bb0 in __interceptor_free (/usr/lib64/libasan.so.5+0xe8bb0)
    #1 0x7fa96f4ba9c1 in llvm::PMTopLevelManager::findAnalysisUsage(llvm::Pass*) (/usr/lib64/libLLVM-7.so+0xa7a9c1)

previously allocated by thread T0 here:
    #0 0x7fa97aab9320 in __interceptor_realloc (/usr/lib64/libasan.so.5+0xe9320)
    #1 0x7fa96f3731b3 in llvm::SmallVectorBase::grow_pod(void*, unsigned long, unsigned long) (/usr/lib64/libLLVM-7.so+0x9331b3)

SUMMARY: AddressSanitizer: heap-buffer-overflow managers/core_option_manager.c:331 in core_option_manager_get_val
Shadow bytes around the buggy address:
  0x0c2c80033ef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80033f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80033f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80033f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80033f30: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c80033f40: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
  0x0c2c80033f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80033f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80033f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80033f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80033f90: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10218==ABORTING

Steps to reproduce the bug

1. Start any core (i.e. nestopia).
2. Open the quick menu.
3. Select Options.
4. Press enter on the first option.
5. Segfault.

Bisect Results

baa909f296629636f2f7c9cdd3a0a66fe46e376e is the first bad commit
commit baa909f296629636f2f7c9cdd3a0a66fe46e376e
Author: twinaphex <libretro@gmail.com>
Date:   Sun Sep 23 18:36:48 2018 +0200

    Add dropdown lists for core options

:040000 040000 0b4a6388862aa232a066f200a7540de62faeda33 136eb1cb8fe96492397fa4a26b4ba58d053d53b0 M  menu

baa909f296629636f2f7c9cdd3a0a66fe46e376e

Version/Commit

You can find this information under Information/System Information

• RetroArch: https://github.com/libretro/RetroArch/commit/9b46caa6db6bb5da496a1c6f9bf6598e5b8e251c

Environment information

• OS: Slackware64-current
• Compiler: gcc-8.2.0

[orbea]

Similar crash as in issue https://github.com/libretro/RetroArch/issues/6371.

[orbea]

It seems it only crashes on the very first option and for every other option it will show the value for the previous option...

[andres-asm]

Seems this only happens if this setting is OFF

[andres-asm]

I figure when the drop-downs were added this wasn't considered, if this is OFF the menu entry for Content-Spefic Core Options is removed from the list so I guess some offset is wrong