From b7da8f612ec06f06563502d29560dc09b9f5b311 Mon Sep 17 00:00:00 2001
From: Alastair Donaldson <afdx@google.com>
Date: Mon, 19 Sep 2022 15:47:32 +0000
Subject: [PATCH] Fix out-of-bounds access in regex fuzzer

Fixes the regex fuzzer so that when searching for an operator to
replace, it takes account of the fact that the string being searched may
be very small, avoiding an issue where unsigned integer underflow would
occur.

Bug: crbug.com/1359193
Change-Id: I653a20429dc20385a64f8d684c81d023702458e6
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/102641
Kokoro: Kokoro <noreply+kokoro@google.com>
Auto-Submit: Alastair Donaldson <afdx@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
---
 src/tint/fuzzers/tint_regex_fuzzer/regex_fuzzer_tests.cc | 8 ++++++++
 src/tint/fuzzers/tint_regex_fuzzer/wgsl_mutator.cc       | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/tint/fuzzers/tint_regex_fuzzer/regex_fuzzer_tests.cc b/src/tint/fuzzers/tint_regex_fuzzer/regex_fuzzer_tests.cc
index fb1d5089a6..b8e3288519 100644
--- a/src/tint/fuzzers/tint_regex_fuzzer/regex_fuzzer_tests.cc
+++ b/src/tint/fuzzers/tint_regex_fuzzer/regex_fuzzer_tests.cc
@@ -545,6 +545,14 @@ d %= e;
     }
 }
 
+TEST(TestReplaceOperator, TestFindOperatorOccurrenceOnSmallStrings) {
+    RandomGenerator generator(0);
+    WgslMutatorTest mutator(generator);
+    ASSERT_FALSE(mutator.FindOperatorOccurrence("", 0).has_value());
+    ASSERT_FALSE(mutator.FindOperatorOccurrence(" ", 0).has_value());
+    ASSERT_FALSE(mutator.FindOperatorOccurrence("  ", 0).has_value());
+}
+
 TEST(TestInsertBreakOrContinue, TestLoopPositions1) {
     RandomGenerator generator(0);
     WgslMutatorTest mutator(generator);
diff --git a/src/tint/fuzzers/tint_regex_fuzzer/wgsl_mutator.cc b/src/tint/fuzzers/tint_regex_fuzzer/wgsl_mutator.cc
index 46db837ed0..c5125a4143 100644
--- a/src/tint/fuzzers/tint_regex_fuzzer/wgsl_mutator.cc
+++ b/src/tint/fuzzers/tint_regex_fuzzer/wgsl_mutator.cc
@@ -463,9 +463,9 @@ std::optional<std::pair<uint32_t, uint32_t>> WgslMutator::FindOperatorOccurrence
         // case where search has reached the end of the code string.
         char first_character = wgsl_code[current_index];
         char second_character =
-            current_index == wgsl_code.size() - 1 ? '\0' : wgsl_code[current_index + 1];
+            current_index + 1 == wgsl_code.size() ? '\0' : wgsl_code[current_index + 1];
         char third_character =
-            current_index >= wgsl_code.size() - 2 ? '\0' : wgsl_code[current_index + 2];
+            current_index + 2 >= wgsl_code.size() ? '\0' : wgsl_code[current_index + 2];
 
         // This uses the extracted characters to match for the various WGSL operators.
         switch (first_character) {