encounter
/
dawn-cmake
mirror of https://github.com/encounter/dawn-cmake.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fuzzers: Fix use-after-free 

Diagnostics hold a pointer to the source, used for printing the source in the error message.
Because of this, the source must live at least as long as the diag::list.

Fixed: chromium:1232097
Change-Id: Iad8b30a2bd69f505dd8bb0eadc5a35115400d047
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59360
Auto-Submit: Ben Clayton <bclayton@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
This commit is contained in:
Ben Clayton 2021-07-22 22:53:24 +00:00 committed by Tint LUCI CQ
parent fced350b3d
commit ba93d14c9a
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
fuzzers/tint_common_fuzzer.cc
View File

@ -197,10 +197,6 @@ int CommonFuzzer::Run(const uint8_t* data, size_t size) {
Program program; Program program;
#if TINT_BUILD_WGSL_READER
std::unique_ptr<Source::File> file;
#endif // TINT_BUILD_WGSL_READER
#if TINT_BUILD_SPV_READER #if TINT_BUILD_SPV_READER
std::vector<uint32_t> spirv_input(size / sizeof(uint32_t)); std::vector<uint32_t> spirv_input(size / sizeof(uint32_t));
@ -209,9 +205,12 @@ int CommonFuzzer::Run(const uint8_t* data, size_t size) {
switch (input_) { switch (input_) {
#if TINT_BUILD_WGSL_READER #if TINT_BUILD_WGSL_READER
case InputFormat::kWGSL: { case InputFormat::kWGSL: {
// Clear any existing diagnostics, as these will hold pointers to file_,
// which we are about to release.
diagnostics_ = {};
std::string str(reinterpret_cast<const char*>(data), size); std::string str(reinterpret_cast<const char*>(data), size);
file = std::make_unique<Source::File>("test.wgsl", str); file_ = std::make_unique<Source::File>("test.wgsl", str);
program = reader::wgsl::Parse(file.get()); program = reader::wgsl::Parse(file_.get());
break; break;
} }
#endif // TINT_BUILD_WGSL_READER #endif // TINT_BUILD_WGSL_READER

6
fuzzers/tint_common_fuzzer.h
View File

@ -16,6 +16,7 @@
#define FUZZERS_TINT_COMMON_FUZZER_H_ #define FUZZERS_TINT_COMMON_FUZZER_H_
#include <cstring> #include <cstring>
#include <memory>
#include <string> #include <string>
#include <utility> #include <utility>
#include <vector> #include <vector>
@ -169,6 +170,11 @@ class CommonFuzzer {
writer::wgsl::Options options_wgsl_; writer::wgsl::Options options_wgsl_;
writer::hlsl::Options options_hlsl_; writer::hlsl::Options options_hlsl_;
writer::msl::Options options_msl_; writer::msl::Options options_msl_;
#if TINT_BUILD_WGSL_READER
/// The source file needs to live at least as long as #diagnostics_
std::unique_ptr<Source::File> file_;
#endif // TINT_BUILD_WGSL_READER
}; };
} // namespace fuzzers } // namespace fuzzers