encounter/dawn-cmake
1
0
Fork 0
mirror of https://github.com/encounter/dawn-cmake.git synced 2025-12-10 14:08:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

tint/resolver: Fix bad pointer deref (UAF)

Browse Source 
Passing a dereferenced value from Hashmap::Find() directly into Hashmap::Add() is a potential cause of UAF, as the insertion may reallocate the map, invalidating the input reference.

I'll try to think of ways to make this foot-gun harder to do, but this CL fixes the immediate bug found by fuzzers.

Bug: chromium:1383755
Change-Id: I4f8b2fcb0745b008a47ef9947c330afb9ac4e78f
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/110020
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
This commit is contained in:
Ben Clayton
2022-11-13 18:26:25 +00:00
committed by Dawn LUCI CQ
parent 570a0faf26
commit c33d10ae79
8 changed files with 184 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/tint/resolver/resolver.cc
View File

@@ -2688,7 +2688,7 @@ sem::Array* Resolver::Array(const ast::Array* arr) {
if (el_ty->Is<sem::Atomic>()) {
atomic_composite_info_.Add(out, &arr->type->source);
} else {
if (auto* found = atomic_composite_info_.Find(el_ty)) {
if (auto found = atomic_composite_info_.Get(el_ty)) {
atomic_composite_info_.Add(out, *found);
}
}
@@ -3027,7 +3027,7 @@ sem::Struct* Resolver::Structure(const ast::Struct* str) {
atomic_composite_info_.Add(out, &sem_members[i]->Declaration()->source);
break;
} else {
if (auto* found = atomic_composite_info_.Find(mem_type)) {
if (auto found = atomic_composite_info_.Get(mem_type)) {
atomic_composite_info_.Add(out, *found);
break;
}