From 88bd8a16901373a57e5789101df4485dfb0819ea Mon Sep 17 00:00:00 2001
From: Ben Clayton <bclayton@google.com>
Date: Tue, 20 Jul 2021 18:59:10 +0000
Subject: [PATCH] fuzzers: Fix Reader::vector<T>()

count != size

Bug: chromium:1231169
Change-Id: I11420fd665db787546df5616ab3f884b5c972abf
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59020
Auto-Submit: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
---
 fuzzers/tint_common_fuzzer.h | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/fuzzers/tint_common_fuzzer.h b/fuzzers/tint_common_fuzzer.h
index 32475cccc6..c6e8dcca7f 100644
--- a/fuzzers/tint_common_fuzzer.h
+++ b/fuzzers/tint_common_fuzzer.h
@@ -45,15 +45,16 @@ class Reader {
   template <typename T>
   std::vector<T> vector() {
     auto count = read<uint8_t>();
-    if (failed_ || size_ < count) {
+    auto size = static_cast<size_t>(count) * sizeof(T);
+    if (failed_ || size_ < size) {
       mark_failed();
       return {};
     }
     std::vector<T> out(count);
     if (!out.empty()) {
-      memcpy(out.data(), data_, count * sizeof(T));
-      data_ += count * sizeof(T);
-      size_ -= count * sizeof(T);
+      memcpy(out.data(), data_, size);
+      data_ += size;
+      size_ -= size;
     }
     return out;
   }
@@ -61,13 +62,15 @@ class Reader {
   template <typename T>
   std::vector<T> vector(T (*extract)(Reader*)) {
     auto count = read<uint8_t>();
-    if (size_ < count) {
-      mark_failed();
+    if (failed_) {
       return {};
     }
     std::vector<T> out(count);
     for (uint8_t i = 0; i < count; i++) {
       out[i] = extract(this);
+      if (failed_) {
+        return {};
+      }
     }
     return out;
   }