encounter
/
dawn-cmake
mirror of https://github.com/encounter/dawn-cmake.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fuzzers: Fix Reader::vector<T>() 

count != size

Bug: chromium:1231169
Change-Id: I11420fd665db787546df5616ab3f884b5c972abf
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59020
Auto-Submit: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
This commit is contained in:
Ben Clayton 2021-07-20 18:59:10 +00:00 committed by Tint LUCI CQ
parent a294371151
commit 88bd8a1690
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
fuzzers/tint_common_fuzzer.h
View File

@ -45,15 +45,16 @@ class Reader {
template <typename T> template <typename T>
std::vector<T> vector() { std::vector<T> vector() {
auto count = read<uint8_t>(); auto count = read<uint8_t>();
if (failed_ || size_ < count) { auto size = static_cast<size_t>(count) * sizeof(T);
if (failed_ || size_ < size) {
mark_failed(); mark_failed();
return {}; return {};
} }
std::vector<T> out(count); std::vector<T> out(count);
if (!out.empty()) { if (!out.empty()) {
memcpy(out.data(), data_, count * sizeof(T)); memcpy(out.data(), data_, size);
data_ += count * sizeof(T); data_ += size;
size_ -= count * sizeof(T); size_ -= size;
} }
return out; return out;
} }
@ -61,13 +62,15 @@ class Reader {
template <typename T> template <typename T>
std::vector<T> vector(T (*extract)(Reader*)) { std::vector<T> vector(T (*extract)(Reader*)) {
auto count = read<uint8_t>(); auto count = read<uint8_t>();
if (size_ < count) { if (failed_) {
mark_failed();
return {}; return {};
} }
std::vector<T> out(count); std::vector<T> out(count);
for (uint8_t i = 0; i < count; i++) { for (uint8_t i = 0; i < count; i++) {
out[i] = extract(this); out[i] = extract(this);
if (failed_) {
return {};
}
} }
return out; return out;
} }