Fix OOB write in matrix constructor #2656
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In a matrix constructor that takes a number of components, as many
components as necessary must be taken, with the rest discarded, as GLSL
allows more components than necessary to be specified. For example, the
following:
mat4 m4 = mat4(v4, v4.yzwx, v4.zwx, v4.zwxy, v4.wxyz);
is equivalent to:
mat4 m4 = mat4(v4, v4.yzwx, v4.zwx, v4.zwxy, v4.w);
glslang takes the components from the constructor and builds the single
components of the matrix in a 2D array before constructing the matrix
itself. It however did not check for extra parameters and was thus
writing OOB to said 2D array. This is fixed in this change
Signed-off-by: Shahbaz Youssefi <shabbyx@gmail.com>
|
@greg-lunarg another clusterfuzz bug found |
greg-lunarg
approved these changes
Jun 4, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In a matrix constructor that takes a number of components, as many
components as necessary must be taken, with the rest discarded, as GLSL
allows more components than necessary to be specified. For example, the
following:
is equivalent to:
glslang takes the components from the constructor and builds the single
components of the matrix in a 2D array before constructing the matrix
itself. It however did not check for extra parameters and was thus
writing OOB to said 2D array. This is fixed in this change
Signed-off-by: Shahbaz Youssefi shabbyx@gmail.com