fuzzers: Fix Reader::vector<T>()

count != size Bug: chromium:1231169 Change-Id: I11420fd665db787546df5616ab3f884b5c972abf Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59020 Auto-Submit: Ben Clayton <bclayton@google.com> Kokoro: Kokoro <noreply+kokoro@google.com> Commit-Queue: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
2021-07-20 18:59:10 +00:00 · 2021-07-20 18:59:10 +00:00 · 88bd8a1690
parent a294371151
commit 88bd8a1690
1 changed files with 9 additions and 6 deletions
--- a/fuzzers/tint_common_fuzzer.h
+++ b/fuzzers/tint_common_fuzzer.h
@ -45,15 +45,16 @@ class Reader {
  template <typename T>
  std::vector<T> vector() {
    auto count = read<uint8_t>();
-    if (failed_ || size_ < count) {
+    auto size = static_cast<size_t>(count) * sizeof(T);
+    if (failed_ || size_ < size) {
      mark_failed();
      return {};
    }
    std::vector<T> out(count);
    if (!out.empty()) {
-      memcpy(out.data(), data_, count * sizeof(T));
-      data_ += count * sizeof(T);
-      size_ -= count * sizeof(T);
+      memcpy(out.data(), data_, size);
+      data_ += size;
+      size_ -= size;
    }
    return out;
  }
@ -61,13 +62,15 @@ class Reader {
  template <typename T>
  std::vector<T> vector(T (*extract)(Reader*)) {
    auto count = read<uint8_t>();
-    if (size_ < count) {
-      mark_failed();
+    if (failed_) {
      return {};
    }
    std::vector<T> out(count);
    for (uint8_t i = 0; i < count; i++) {
      out[i] = extract(this);
+      if (failed_) {
+        return {};
+      }
    }
    return out;
  }