9cef66fbf56edf43233792e926e12eec952e7799 - skia

commit	9cef66fbf56edf43233792e926e12eec952e7799	[log] [tgz]
author	John Stiles <johnstiles@google.com>	Fri Oct 23 09:46:11 2020 -0400
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	Fri Oct 23 16:10:15 2020 +0000
tree	9bd616fbebea2a44dfec5736e5cf636b2b5df225
parent	15d8174fc94492485552f9729508a4bfb32320a0 [diff]

Fix use-after-free discovered by fuzzer.

In cases where multiple variables were declared on a single line, it is
legal for variable initialization-expressions to reference variables
declared earlier in the var-decl statement. It is NOT legal for the
inliner to move those references up to the previous statement, where the
variable doesn't exist yet.

This is mitigated by disabling the IRGenerator inliner for var-decls
past the first one in a var-decls statement. (The optimizer will still
pass over this code later and is able to inline it correctly, if it is
worth doing.)

Change-Id: I7a0d45eab20e30ed9f6b2f5c1251b6e0d8eeaea3
Bug: oss-fuzz:26167
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/329357
Auto-Submit: John Stiles <johnstiles@google.com>
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>

gn/sksl_tests.gni[diff]
src/sksl/SkSLIRGenerator.cpp[diff]
tests/sksl/shared/Ossfuzz26167.sksl[Added - diff]
tests/sksl/shared/golden/Ossfuzz26167.glsl[Added - diff]
tests/sksl/shared/golden/Ossfuzz26167.metal[Added - diff]

5 files changed