commit 3940ce2f070d4fb487ddf5fb7448e9eba327a9a8
author James Price <jrprice@google.com> Mon Sep 16 22:51:58 2024 +0000
committer Dawn LUCI CQ <dawn-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon Sep 16 22:51:58 2024 +0000
tree 5612ce4c0f217c42ba41f447d3507fcb901b1fe9
parent 112bcd59391d4d5fab79a02af01319bacd0c7fe1

[spirv] Guard against instruction length overflow

This assertion prevents instruction word length overflow from being a
potential security issue due to invalid SPIR-V being generated, and
instead makes it a GPU process crash.

Bug: 366067963
Change-Id: Ieb1186361f6e9129eba62b0109cce7d8f767ea01
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/206717
Commit-Queue: James Price <jrprice@google.com>
Auto-Submit: James Price <jrprice@google.com>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Commit-Queue: dan sinclair <dsinclair@chromium.org>

src/tint/lang/spirv/writer/common/binary_writer.cc

diff --git a/src/tint/lang/spirv/writer/common/binary_writer.cc b/src/tint/lang/spirv/writer/common/binary_writer.cc
index 921751a..56bd5a7 100644
--- a/src/tint/lang/spirv/writer/common/binary_writer.cc
+++ b/src/tint/lang/spirv/writer/common/binary_writer.cc
@@ -59,6 +59,7 @@
 }
 
 void BinaryWriter::ProcessInstruction(const Instruction& inst) {
+    TINT_ASSERT(inst.WordLength() < 65536);
     out_.push_back(inst.WordLength() << 16 | static_cast<uint32_t>(inst.Opcode()));
     for (const auto& op : inst.Operands()) {
         ProcessOp(op);