encounter
/
dawn-cmake
mirror of https://github.com/encounter/dawn-cmake.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix out-of-bounds access in regex fuzzer 

Fixes the regex fuzzer so that when searching for an operator to
replace, it takes account of the fact that the string being searched may
be very small, avoiding an issue where unsigned integer underflow would
occur.

Bug: crbug.com/1359193
Change-Id: I653a20429dc20385a64f8d684c81d023702458e6
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/102641
Kokoro: Kokoro <noreply+kokoro@google.com>
Auto-Submit: Alastair Donaldson <afdx@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
This commit is contained in:
Alastair Donaldson 2022-09-19 15:47:32 +00:00 committed by Dawn LUCI CQ
parent 4f8ed34b94
commit b7da8f612e
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/tint/fuzzers/tint_regex_fuzzer/regex_fuzzer_tests.cc
View File

@ -545,6 +545,14 @@ d %= e;
}
}
TEST(TestReplaceOperator, TestFindOperatorOccurrenceOnSmallStrings) {
RandomGenerator generator(0);
WgslMutatorTest mutator(generator);
ASSERT_FALSE(mutator.FindOperatorOccurrence("", 0).has_value());
ASSERT_FALSE(mutator.FindOperatorOccurrence(" ", 0).has_value());
ASSERT_FALSE(mutator.FindOperatorOccurrence(" ", 0).has_value());
}
TEST(TestInsertBreakOrContinue, TestLoopPositions1) {
RandomGenerator generator(0);
WgslMutatorTest mutator(generator);

4
src/tint/fuzzers/tint_regex_fuzzer/wgsl_mutator.cc
View File

@ -463,9 +463,9 @@ std::optional<std::pair<uint32_t, uint32_t>> WgslMutator::FindOperatorOccurrence
// case where search has reached the end of the code string.
char first_character = wgsl_code[current_index];
char second_character =
current_index == wgsl_code.size() - 1 ? '\0' : wgsl_code[current_index + 1];
current_index + 1 == wgsl_code.size() ? '\0' : wgsl_code[current_index + 1];
char third_character =
current_index >= wgsl_code.size() - 2 ? '\0' : wgsl_code[current_index + 2];
current_index + 2 >= wgsl_code.size() ? '\0' : wgsl_code[current_index + 2];
// This uses the extracted characters to match for the various WGSL operators.
switch (first_character) {