From 81c86e8608c252c17af2ee63be70dd1576a5ed3d Mon Sep 17 00:00:00 2001
From: John Stiles <johnstiles@google.com>
Date: Mon, 1 Nov 2021 10:50:05 -0400
Subject: [PATCH] Fix fuzzer-discovered assertion with nonsense array sizes.

Change-Id: I7512491f55c10118f0ab058500f6ce9b5b8545cd
Bug: oss-fuzz:40557
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/466296
Commit-Queue: John Stiles <johnstiles@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
---
 resources/sksl/errors/ArrayOfInvalidSize.sksl | 39 ++++++++++---------
 src/sksl/ir/SkSLConstructor.cpp               | 10 +++--
 tests/sksl/errors/ArrayOfInvalidSize.glsl     | 16 ++++----
 3 files changed, 37 insertions(+), 28 deletions(-)

diff --git a/resources/sksl/errors/ArrayOfInvalidSize.sksl b/resources/sksl/errors/ArrayOfInvalidSize.sksl
index dc657c16ca..cbb8f121a5 100644
--- a/resources/sksl/errors/ArrayOfInvalidSize.sksl
+++ b/resources/sksl/errors/ArrayOfInvalidSize.sksl
@@ -1,18 +1,21 @@
-void a() { float[-2]; }
-void b() { float[-1]; }
-void c() { float[0]; }
-void d() { float[1.5]; }
-void e() { float[4000000000]; }
-void f() { float[true]; }
-void g() { float[false]; }
-void h() { float[int2(2, 2)]; }
-void i() { float[]; }
-void j() { float x[-2]; }
-void k() { float x[-1]; }
-void l() { float x[0]; }
-void m() { float x[1.5]; }
-void n() { float x[4000000000]; }
-void o() { float x[true]; }
-void p() { float x[false]; }
-void q() { float x[int2(2, 2)]; }
-void r() { float x[]; }
+void a1() { float[-2]; }
+void b1() { float[-1]; }
+void c1() { float[0]; }
+void d1() { float[1.5]; }
+void e1() { float[4000000000]; }
+void f1() { float[true]; }
+void g1() { float[false]; }
+void h1() { float[int2(2, 2)]; }
+void i1() { float[]; }
+void j1() { float[int3(4000000000)]; }
+
+void a2() { float x[-2]; }
+void b2() { float x[-1]; }
+void c2() { float x[0]; }
+void d2() { float x[1.5]; }
+void e2() { float x[4000000000]; }
+void f2() { float x[true]; }
+void g2() { float x[false]; }
+void h2() { float x[int2(2, 2)]; }
+void i2() { float x[]; }
+void j2() { float x[int3(4000000000)]; }
diff --git a/src/sksl/ir/SkSLConstructor.cpp b/src/sksl/ir/SkSLConstructor.cpp
index c9fabca1a2..4a373aec6a 100644
--- a/src/sksl/ir/SkSLConstructor.cpp
+++ b/src/sksl/ir/SkSLConstructor.cpp
@@ -55,9 +55,13 @@ static std::unique_ptr<Expression> convert_compound_constructor(const Context& c
         if (argument->type().isScalar()) {
             // A constructor containing a single scalar is a splat (for vectors) or diagonal matrix
             // (for matrices). It's legal regardless of the scalar's type, so synthesize an explicit
-            // conversion to the proper type. (This cast is a no-op if it's unnecessary.)
-            std::unique_ptr<Expression> typecast = ConstructorScalarCast::Make(
-                    context, line, type.componentType(), std::move(argument));
+            // conversion to the proper type. (This cast is a no-op if it's unnecessary; it can fail
+            // if we're casting a literal that exceeds the limits of the type.)
+            std::unique_ptr<Expression> typecast = ConstructorScalarCast::Convert(
+                        context, line, type.componentType(), std::move(args));
+            if (!typecast) {
+                return nullptr;
+            }
 
             // Matrix-from-scalar creates a diagonal matrix; vector-from-scalar creates a splat.
             return type.isMatrix()
diff --git a/tests/sksl/errors/ArrayOfInvalidSize.glsl b/tests/sksl/errors/ArrayOfInvalidSize.glsl
index ab8383ab14..bcc101a2c6 100644
--- a/tests/sksl/errors/ArrayOfInvalidSize.glsl
+++ b/tests/sksl/errors/ArrayOfInvalidSize.glsl
@@ -9,13 +9,15 @@ error: 6: expected 'int', but found 'bool'
 error: 7: expected 'int', but found 'bool'
 error: 8: expected 'int', but found 'int2'
 error: 9: missing index in '[]'
-error: 10: array size must be positive
-error: 11: array size must be positive
+error: 10: integer is out of range for type 'int': 4000000000
 error: 12: array size must be positive
-error: 13: array size must be an integer
-error: 14: array size out of bounds
+error: 13: array size must be positive
+error: 14: array size must be positive
 error: 15: array size must be an integer
-error: 16: array size must be an integer
+error: 16: array size out of bounds
 error: 17: array size must be an integer
-error: 18: expected array dimension
-18 errors
+error: 18: array size must be an integer
+error: 19: array size must be an integer
+error: 20: expected array dimension
+error: 21: integer is out of range for type 'int': 4000000000
+20 errors