Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / skia / 8f633ef2b5f72872d89445fc3ce3981f0e49756d^! / . / src / sksl / SkSLIRGenerator.cpp
commit8f633ef2b5f72872d89445fc3ce3981f0e49756d[log] [tgz]
authorJohn Stiles <johnstiles@google.com>Sat Aug 21 17:13:11 2021 -0400
committerSkCQ <skcq-be@skia-corp.google.com.iam.gserviceaccount.com>Mon Aug 23 14:23:46 2021 +0000
treed2ba3798e3dc84f6a0eec85b10c998159ff60b87
parente312532442d152d0f4049559884488f021852ff7 [diff] [blame]
Fix assertion discovered by fuzzer.

We now stop processing a var-declaration if its array-size expression is
invalid. Previously, we'd pass a null array-size expression into
convertVar, which would assert (but would fail cleanly afterwards).

Change-Id: I976f3326e32afbc7045a86d73c0dcb28f418a6f4
Bug: oss-fuzz:37457
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/441079
Auto-Submit: John Stiles <johnstiles@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>

diff --git a/src/sksl/SkSLIRGenerator.cpp b/src/sksl/SkSLIRGenerator.cpp
index e82e9c0..c4eeb8c 100644
--- a/src/sksl/SkSLIRGenerator.cpp
+++ b/src/sksl/SkSLIRGenerator.cpp

@@ -411,12 +411,14 @@
         std::unique_ptr<Expression> value;
         auto iter = varDecl.begin();
         if (iter != varDecl.end() && varData.fIsArray) {
-            if (*iter) {
-                arraySize = this->convertExpression(*iter++);
-            } else {
+            if (!*iter) {
                 this->errorReporter().error(decls.fOffset, "array must have a size");
                 continue;
             }
+            arraySize = this->convertExpression(*iter++);
+            if (!arraySize) {
+                continue;
+            }
         }
         if (iter != varDecl.end()) {
             value = this->convertExpression(*iter);