From e56b5f1097fde5e3af6b577a49cb0bb6eef59238 Mon Sep 17 00:00:00 2001
From: Corentin Wallez <cwallez@chromium.org>
Date: Mon, 4 Apr 2022 12:22:52 +0000
Subject: [PATCH] dawn.node: Check for OOB in setBindGroup's typed array
 variant.

Bug: dawn:1123
Change-Id: I9ded6c76d50183ff14158e573b2c1a36a1becb3a
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/85641
Commit-Queue: Corentin Wallez <cwallez@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
---
 src/dawn/node/binding/GPUComputePassEncoder.cpp | 16 ++++++++++++++++
 src/dawn/node/binding/GPURenderPassEncoder.cpp  | 16 ++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/src/dawn/node/binding/GPUComputePassEncoder.cpp b/src/dawn/node/binding/GPUComputePassEncoder.cpp
index fa287710c7..b08518ed72 100644
--- a/src/dawn/node/binding/GPUComputePassEncoder.cpp
+++ b/src/dawn/node/binding/GPUComputePassEncoder.cpp
@@ -84,6 +84,22 @@ namespace wgpu::binding {
             return;
         }
 
+        if (dynamicOffsetsDataStart > dynamicOffsetsData.ElementLength()) {
+            Napi::RangeError::New(env,
+                                  "dynamicOffsetsDataStart is out of bound of dynamicOffsetData")
+                .ThrowAsJavaScriptException();
+            return;
+        }
+
+        if (dynamicOffsetsDataLength >
+            dynamicOffsetsData.ElementLength() - dynamicOffsetsDataStart) {
+            Napi::RangeError::New(env,
+                                  "dynamicOffsetsDataLength + dynamicOffsetsDataStart is out of "
+                                  "bound of dynamicOffsetData")
+                .ThrowAsJavaScriptException();
+            return;
+        }
+
         enc_.SetBindGroup(index, bg, dynamicOffsetsDataLength,
                           dynamicOffsetsData.Data() + dynamicOffsetsDataStart);
     }
diff --git a/src/dawn/node/binding/GPURenderPassEncoder.cpp b/src/dawn/node/binding/GPURenderPassEncoder.cpp
index 39c763647b..694da62bfb 100644
--- a/src/dawn/node/binding/GPURenderPassEncoder.cpp
+++ b/src/dawn/node/binding/GPURenderPassEncoder.cpp
@@ -119,6 +119,22 @@ namespace wgpu::binding {
             return;
         }
 
+        if (dynamicOffsetsDataStart > dynamicOffsetsData.ElementLength()) {
+            Napi::RangeError::New(env,
+                                  "dynamicOffsetsDataStart is out of bound of dynamicOffsetData")
+                .ThrowAsJavaScriptException();
+            return;
+        }
+
+        if (dynamicOffsetsDataLength >
+            dynamicOffsetsData.ElementLength() - dynamicOffsetsDataStart) {
+            Napi::RangeError::New(env,
+                                  "dynamicOffsetsDataLength + dynamicOffsetsDataStart is out of "
+                                  "bound of dynamicOffsetData")
+                .ThrowAsJavaScriptException();
+            return;
+        }
+
         enc_.SetBindGroup(index, bg, dynamicOffsetsDataLength,
                           dynamicOffsetsData.Data() + dynamicOffsetsDataStart);
     }