file_path: avoid fortified realpath() buffer size abort (#19037)

s3gfaultx · web-flow · commit f2e32f092143 · 2026-05-14T14:42:57.000+02:00
glibc's fortified realpath() checks that the destination buffer is at
least PATH_MAX bytes. path_resolve_realpath() was passing the caller's
buffer directly, which may be smaller than the system PATH_MAX despite
being sized to RetroArch's PATH_MAX_LENGTH.

With _FORTIFY_SOURCE=3 this can abort in __realpath_chk when resolving
core updater paths.

Resolve into an allocated realpath() buffer instead, then copy the result
back into the caller-provided buffer using the provided length.
diff --git a/libretro-common/file/file_path.c b/libretro-common/file/file_path.c
@@ -793,12 +793,16 @@ char *path_resolve_realpath(char *s, size_t len, bool resolve_symlinks)
    const char *buf_end;
    if (resolve_symlinks)
    {
+      char *real_path;
       strlcpy(tmp, s, sizeof(tmp));
-      if (!realpath(tmp, s))
+      real_path = realpath(tmp, NULL);
+      if (!real_path)
       {
          strlcpy(s, tmp, len);
          return NULL;
       }
+      strlcpy(s, real_path, len);
+      free(real_path);
       return s;
    }
    t       = 0;

Original file line number	Diff line number	Diff line change
`@@ -793,12 +793,16 @@ char path_resolve_realpath(char s, size_t len, bool resolve_symlinks)`
`793`	`793`	`const char *buf_end;`
`794`	`794`	`if (resolve_symlinks)`
`795`	`795`	`{`
	`796`	`+ char *real_path;`
`796`	`797`	`strlcpy(tmp, s, sizeof(tmp));`
`797`		`- if (!realpath(tmp, s))`
	`798`	`+ real_path = realpath(tmp, NULL);`
	`799`	`+ if (!real_path)`
`798`	`800`	`{`
`799`	`801`	`strlcpy(s, tmp, len);`
`800`	`802`	`return NULL;`
`801`	`803`	`}`
	`804`	`+ strlcpy(s, real_path, len);`
	`805`	`+ free(real_path);`
`802`	`806`	`return s;`
`803`	`807`	`}`
`804`	`808`	`t = 0;`