Validate operand type before operating on it (#5092)

Fixes https://crbug.com/oss-fuzz/52921

* Validate the data operand of OpBitCount before trying to get its
  dimension
This commit is contained in:
alan-baker 2023-01-31 15:40:22 -05:00 committed by GitHub
parent fcfc3c580c
commit b230a7c7d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 2 deletions

View File

@ -206,13 +206,14 @@ spv_result_t BitwisePass(ValidationState_t& _, const Instruction* inst) {
<< spvOpcodeString(opcode);
const uint32_t base_type = _.GetOperandTypeId(inst, 2);
const uint32_t base_dimension = _.GetDimension(base_type);
const uint32_t result_dimension = _.GetDimension(result_type);
if (spv_result_t error = ValidateBaseType(_, inst, base_type)) {
return error;
}
const uint32_t base_dimension = _.GetDimension(base_type);
const uint32_t result_dimension = _.GetDimension(result_type);
if (base_dimension != result_dimension)
return _.diag(SPV_ERROR_INVALID_DATA, inst)
<< "Expected Base dimension to be equal to Result Type "

View File

@ -643,6 +643,32 @@ TEST_F(ValidateBitwise, OpBitCountNot32Vulkan) {
HasSubstr("Expected 32-bit int type for Base operand: BitCount"));
}
TEST_F(ValidateBitwise, OpBitCountPointer) {
const std::string body = R"(
OpCapability Shader
OpMemoryModel Logical GLSL450
OpEntryPoint GLCompute %main "main"
OpExecutionMode %main LocalSize 1 1 1
%void = OpTypeVoid
%int = OpTypeInt 32 0
%ptr_int = OpTypePointer Function %int
%void_fn = OpTypeFunction %void
%main = OpFunction %void None %void_fn
%entry = OpLabel
%var = OpVariable %ptr_int Function
%count = OpBitCount %int %var
OpReturn
OpFunctionEnd
)";
CompileSuccessfully(body);
ASSERT_EQ(SPV_ERROR_INVALID_DATA, ValidateInstructions());
EXPECT_THAT(
getDiagnosticString(),
HasSubstr(
"Expected int scalar or vector type for Base operand: BitCount"));
}
} // namespace
} // namespace val
} // namespace spvtools