Fix for fuzzer-discovered out-of-bounds array access.
Change-Id: I4280b5710dd8749ba766ba74d7a8886bc4e024bb
Bug: oss-fuzz:35124
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/417200
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Commit-Queue: John Stiles <johnstiles@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
diff --git a/resources/sksl/runtime_errors/InvalidBlendMain.rtb b/resources/sksl/runtime_errors/InvalidBlendMain.rtb
index 3ef8011..9815948 100644
--- a/resources/sksl/runtime_errors/InvalidBlendMain.rtb
+++ b/resources/sksl/runtime_errors/InvalidBlendMain.rtb
@@ -1,11 +1,12 @@
// Runtime blend modes require specific main signatures.
// Ensure that signatures intended for other runtime effect types don't work.
-// Expect 4 errors
+// Expect 5 errors
half4 main() { return half4(1); }
half4 main(half4 src) { return src; }
half4 main(half2 coords, half4 src) { return src; }
half4 main(half2 coords, half4 src, half4 dst) { return src * dst; }
+half4 main(half4 src, half4 dst, half4 bonusColor) { return src * dst; }
half4 main(half4 src, half4 dst) { return src * dst; } // the correct signature is allowed
diff --git a/resources/sksl/runtime_errors/InvalidColorFilterMain.rtcf b/resources/sksl/runtime_errors/InvalidColorFilterMain.rtcf
index a955a6f..e807155 100644
--- a/resources/sksl/runtime_errors/InvalidColorFilterMain.rtcf
+++ b/resources/sksl/runtime_errors/InvalidColorFilterMain.rtcf
@@ -1,8 +1,11 @@
// Runtime color filters require specific main signatures. Test that older signatures, or those
// intended for shaders don't work.
-// Expect 3 errors
+// Expect 4 errors
half4 main() { return half(1); }
half4 main(float2 coord) { return half4(1); }
-half4 main(float2 coord, half4 color) { return color; }
\ No newline at end of file
+half4 main(float2 coord, half4 color) { return color; }
+half4 main(half4 color, half4 bonusColor) { return color; }
+
+half4 main(half4 color) { return color; } // the correct signature is allowed
diff --git a/resources/sksl/runtime_errors/InvalidShaderMain.rts b/resources/sksl/runtime_errors/InvalidShaderMain.rts
index 3d63a36..db16d8c 100644
--- a/resources/sksl/runtime_errors/InvalidShaderMain.rts
+++ b/resources/sksl/runtime_errors/InvalidShaderMain.rts
@@ -1,7 +1,11 @@
// Runtime shaders require specific main signatures. Test that older signatures, or those intended
// for color filters don't work.
-// Expect 2 errors
+// Expect 4 errors
half4 main() { return half4(1); }
half4 main(half4 color) { return color; }
+half4 main(float2 xy, half4 color, half4 bonusColor) { return color; }
+half4 main(half4 outOfOrderColor, float2 outOfOrderXy) { return color; }
+
+half4 main(float2 xy, half4 color) { return color; } // the correct signature is allowed
diff --git a/src/sksl/ir/SkSLFunctionDeclaration.cpp b/src/sksl/ir/SkSLFunctionDeclaration.cpp
index a8c93ae..347fa07 100644
--- a/src/sksl/ir/SkSLFunctionDeclaration.cpp
+++ b/src/sksl/ir/SkSLFunctionDeclaration.cpp
@@ -69,10 +69,11 @@
return type == *context.fTypes.fHalf4 || type == *context.fTypes.fFloat4;
};
- // Check modifiers on each function parameter.
+ // The first color parameter passed to main() is the input color; the second is the dest color.
static constexpr int kBuiltinColorIDs[] = {SK_INPUT_COLOR_BUILTIN, SK_DEST_COLOR_BUILTIN};
unsigned int builtinColorIndex = 0;
+ // Check modifiers on each function parameter.
for (auto& param : parameters) {
IRGenerator::CheckModifiers(context, param->fOffset, param->modifiers(),
Modifiers::kConst_Flag | Modifiers::kIn_Flag |
@@ -98,9 +99,8 @@
// a half4/float parameter is supposed to be the input or destination color:
if (type == *context.fTypes.fFloat2) {
m.fLayout.fBuiltin = SK_MAIN_COORDS_BUILTIN;
- } else if (typeIsValidForColor(type)) {
- // The first color we encounter is the input color; the second is the dest color.
- SkASSERT(builtinColorIndex < SK_ARRAY_COUNT(kBuiltinColorIDs));
+ } else if (typeIsValidForColor(type) &&
+ builtinColorIndex < SK_ARRAY_COUNT(kBuiltinColorIDs)) {
m.fLayout.fBuiltin = kBuiltinColorIDs[builtinColorIndex++];
}
if (m.fLayout.fBuiltin) {
diff --git a/tests/sksl/runtime_errors/InvalidBlendMain.skvm b/tests/sksl/runtime_errors/InvalidBlendMain.skvm
index c7e4082..3d4bc70 100644
--- a/tests/sksl/runtime_errors/InvalidBlendMain.skvm
+++ b/tests/sksl/runtime_errors/InvalidBlendMain.skvm
@@ -4,4 +4,5 @@
error: 7: 'main' parameters must be (vec4|float4|half4, vec4|float4|half4)
error: 8: 'main' parameters must be (vec4|float4|half4, vec4|float4|half4)
error: 9: 'main' parameters must be (vec4|float4|half4, vec4|float4|half4)
-4 errors
+error: 10: 'main' parameters must be (vec4|float4|half4, vec4|float4|half4)
+5 errors
diff --git a/tests/sksl/runtime_errors/InvalidColorFilterMain.skvm b/tests/sksl/runtime_errors/InvalidColorFilterMain.skvm
index b691376..b5a422a 100644
--- a/tests/sksl/runtime_errors/InvalidColorFilterMain.skvm
+++ b/tests/sksl/runtime_errors/InvalidColorFilterMain.skvm
@@ -3,4 +3,5 @@
error: 6: 'main' parameter must be 'vec4', 'float4', or 'half4'
error: 7: 'main' parameter must be 'vec4', 'float4', or 'half4'
error: 8: 'main' parameter must be 'vec4', 'float4', or 'half4'
-3 errors
+error: 9: 'main' parameter must be 'vec4', 'float4', or 'half4'
+4 errors
diff --git a/tests/sksl/runtime_errors/InvalidShaderMain.skvm b/tests/sksl/runtime_errors/InvalidShaderMain.skvm
index 7ebeed8..70ed247 100644
--- a/tests/sksl/runtime_errors/InvalidShaderMain.skvm
+++ b/tests/sksl/runtime_errors/InvalidShaderMain.skvm
@@ -2,4 +2,6 @@
error: 6: 'main' parameters must be (float2, (vec4|float4|half4)?)
error: 7: 'main' parameters must be (float2, (vec4|float4|half4)?)
-2 errors
+error: 8: 'main' parameters must be (float2, (vec4|float4|half4)?)
+error: 9: 'main' parameters must be (float2, (vec4|float4|half4)?)
+4 errors
