Fix out-of-bounds access in regex fuzzer

Fixes the regex fuzzer so that when searching for an operator to
replace, it takes account of the fact that the string being searched may
be very small, avoiding an issue where unsigned integer underflow would
occur.

Bug: crbug.com/1359193
Change-Id: I653a20429dc20385a64f8d684c81d023702458e6
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/102641
Kokoro: Kokoro <noreply+kokoro@google.com>
Auto-Submit: Alastair Donaldson <afdx@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
This commit is contained in:
Alastair Donaldson 2022-09-19 15:47:32 +00:00 committed by Dawn LUCI CQ
parent 4f8ed34b94
commit b7da8f612e
2 changed files with 10 additions and 2 deletions

View File

@ -545,6 +545,14 @@ d %= e;
} }
} }
TEST(TestReplaceOperator, TestFindOperatorOccurrenceOnSmallStrings) {
RandomGenerator generator(0);
WgslMutatorTest mutator(generator);
ASSERT_FALSE(mutator.FindOperatorOccurrence("", 0).has_value());
ASSERT_FALSE(mutator.FindOperatorOccurrence(" ", 0).has_value());
ASSERT_FALSE(mutator.FindOperatorOccurrence(" ", 0).has_value());
}
TEST(TestInsertBreakOrContinue, TestLoopPositions1) { TEST(TestInsertBreakOrContinue, TestLoopPositions1) {
RandomGenerator generator(0); RandomGenerator generator(0);
WgslMutatorTest mutator(generator); WgslMutatorTest mutator(generator);

View File

@ -463,9 +463,9 @@ std::optional<std::pair<uint32_t, uint32_t>> WgslMutator::FindOperatorOccurrence
// case where search has reached the end of the code string. // case where search has reached the end of the code string.
char first_character = wgsl_code[current_index]; char first_character = wgsl_code[current_index];
char second_character = char second_character =
current_index == wgsl_code.size() - 1 ? '\0' : wgsl_code[current_index + 1]; current_index + 1 == wgsl_code.size() ? '\0' : wgsl_code[current_index + 1];
char third_character = char third_character =
current_index >= wgsl_code.size() - 2 ? '\0' : wgsl_code[current_index + 2]; current_index + 2 >= wgsl_code.size() ? '\0' : wgsl_code[current_index + 2];
// This uses the extracted characters to match for the various WGSL operators. // This uses the extracted characters to match for the various WGSL operators.
switch (first_character) { switch (first_character) {