commit 0e041baeaa47668a0075fcb49faad24c2bdbf034
author John Stiles <johnstiles@google.com> Wed Aug 05 11:14:33 2020 -0400
committer Skia Commit-Bot <skia-commit-bot@chromium.org> Wed Aug 05 16:01:15 2020 +0000
tree febd2ed4fbe2587c0ffa85e59a43ab6728823904
parent 2000c64e2bce570c44fd66f3792fd749e941e508

Fix out-of-bounds array access discovered by fuzzer.

The root cause of this error is that Metal does not support upcasting
a small matrix into a larger matrix (I was unfamiliar with this GLSL
ability). Proper support in Metal for that type of cast will be added in
a followup CL. For now, this CL adds defensive bounds-checking to
placate ASAN.

Change-Id: Ieb0d6b14f9bc7ecc9ef6223364c606612dc79e43
Bug: oss-fuzz:22776
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/308182
Commit-Queue: John Stiles <johnstiles@google.com>
Commit-Queue: Jim Van Verth <jvanverth@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Jim Van Verth <jvanverth@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>

src/sksl/SkSLMetalCodeGenerator.cpp

diff --git a/src/sksl/SkSLMetalCodeGenerator.cpp b/src/sksl/SkSLMetalCodeGenerator.cpp
index ad2ca45..026c85e 100644
--- a/src/sksl/SkSLMetalCodeGenerator.cpp
+++ b/src/sksl/SkSLMetalCodeGenerator.cpp
@@ -439,33 +439,38 @@
             fExtraFunctions.printf("%s", rowSeparator);
             rowSeparator = ", ";
 
-            const Type& argType = args[argIndex]->fType;
-            switch (argType.kind()) {
-                case Type::kScalar_Kind: {
-                    fExtraFunctions.printf("x%zu", argIndex);
-                    break;
+            if (argIndex < args.size()) {
+                const Type& argType = args[argIndex]->fType;
+                switch (argType.kind()) {
+                    case Type::kScalar_Kind: {
+                        fExtraFunctions.printf("x%zu", argIndex);
+                        break;
+                    }
+                    case Type::kVector_Kind: {
+                        fExtraFunctions.printf("x%zu[%d]", argIndex, argPosition);
+                        break;
+                    }
+                    case Type::kMatrix_Kind: {
+                        fExtraFunctions.printf("x%zu[%d][%d]", argIndex,
+                                               argPosition / argType.rows(),
+                                               argPosition % argType.rows());
+                        break;
+                    }
+                    default: {
+                        SkDEBUGFAIL("incorrect type of argument for matrix constructor");
+                        fExtraFunctions.printf("<error>");
+                        break;
+                    }
                 }
-                case Type::kVector_Kind: {
-                    fExtraFunctions.printf("x%zu[%d]", argIndex, argPosition);
-                    break;
-                }
-                case Type::kMatrix_Kind: {
-                    fExtraFunctions.printf("x%zu[%d][%d]", argIndex,
-                                           argPosition / argType.rows(),
-                                           argPosition % argType.rows());
-                    break;
-                }
-                default: {
-                    SkDEBUGFAIL("incorrect type of argument for matrix constructor");
-                    fExtraFunctions.printf("<error>");
-                    break;
-                }
-            }
 
-            ++argPosition;
-            if (argPosition >= argType.columns() * argType.rows()) {
-                ++argIndex;
-                argPosition = 0;
+                ++argPosition;
+                if (argPosition >= argType.columns() * argType.rows()) {
+                    ++argIndex;
+                    argPosition = 0;
+                }
+            } else {
+                SkDEBUGFAIL("not enough arguments for matrix constructor");
+                fExtraFunctions.printf("<error>");
             }
         }
     }