Fix fuzzer crash when casting between int and float.

The fix submitted at http://review.skia.org/335868 did not support casts. The fuzzer discovered this shortcoming right away. Change-Id: I2f5166528cee41367348564d4e664476fd5704ff Bug: oss-fuzz:27650 Reviewed-on: https://skia-review.googlesource.com/c/skia/+/336656 Commit-Queue: Brian Osman <brianosman@google.com> Reviewed-by: Brian Osman <brianosman@google.com> Auto-Submit: John Stiles <johnstiles@google.com>
2020-11-19 17:36:17 -05:00 · 2020-11-19 17:36:17 -05:00 · 8c58899371
commit 8c58899371
parent 9dce4d081f
4 changed files with 22 additions and 6 deletions
--- a/gn/sksl_tests.gni
+++ b/gn/sksl_tests.gni
@ -114,6 +114,7 @@ sksl_error_tests = [
  "$_tests/sksl/errors/OpenArray.sksl",
  "$_tests/sksl/errors/Ossfuzz26700.sksl",
  "$_tests/sksl/errors/Ossfuzz26759.sksl",
+  "$_tests/sksl/errors/Ossfuzz27650.sksl",
  "$_tests/sksl/errors/OverflowIntLiteral.sksl",
  "$_tests/sksl/errors/OverflowUintLiteral.sksl",
  "$_tests/sksl/errors/PrivateTypes.sksl",
--- a/src/sksl/ir/SkSLConstructor.cpp
+++ b/src/sksl/ir/SkSLConstructor.cpp
@ -194,17 +194,27 @@ SKSL_FLOAT Constructor::getMatComponent(int col, int row) const {
 }

 int64_t Constructor::getConstantInt() const {
+    // We're looking for scalar integer constructors only, i.e. `int(1)`.
    SkASSERT(this->arguments().size() == 1);
-    SkASSERT(this->arguments().front()->type().typeKind() == Type::TypeKind::kScalar);
-    SkASSERT(this->arguments().front()->type().isInteger());
-    return this->arguments().front()->getConstantInt();
+    SkASSERT(this->type().columns() == 1);
+    SkASSERT(this->type().isInteger());
+
+    // The inner argument might actually be a float! `int(1.0)` is a valid cast.
+    const Expression& expr = *this->arguments().front();
+    SkASSERT(expr.type().typeKind() == Type::TypeKind::kScalar);
+    return expr.type().isInteger() ? expr.getConstantInt() : (int64_t)expr.getConstantFloat();
 }

 SKSL_FLOAT Constructor::getConstantFloat() const {
+    // We're looking for scalar integer constructors only, i.e. `float(1.0)`.
    SkASSERT(this->arguments().size() == 1);
-    SkASSERT(this->arguments().front()->type().typeKind() == Type::TypeKind::kScalar);
-    SkASSERT(this->arguments().front()->type().isFloat());
-    return this->arguments().front()->getConstantFloat();
+    SkASSERT(this->type().columns() == 1);
+    SkASSERT(this->type().isFloat());
+
+    // The inner argument might actually be an integer! `float(1)` is a valid cast.
+    const Expression& expr = *this->arguments().front();
+    SkASSERT(expr.type().typeKind() == Type::TypeKind::kScalar);
+    return expr.type().isFloat() ? expr.getConstantFloat() : (SKSL_FLOAT)expr.getConstantInt();
 }

 }  // namespace SkSL
--- a/tests/sksl/errors/Ossfuzz27650.sksl
+++ b/tests/sksl/errors/Ossfuzz27650.sksl
@ -0,0 +1 @@
+void main() { int i=9E7; 2+int4(i); }
--- a/tests/sksl/errors/golden/Ossfuzz27650.glsl
+++ b/tests/sksl/errors/golden/Ossfuzz27650.glsl
@ -0,0 +1,4 @@
+### Compilation failed:
+
+error: 1: expected 'int', but found 'float'
+1 error