Google Git
Sign in
dawn / dawn / b7da8f612ec06f06563502d29560dc09b9f5b311^! / .
commitb7da8f612ec06f06563502d29560dc09b9f5b311[log] [tgz]
authorAlastair Donaldson <afdx@google.com>Mon Sep 19 15:47:32 2022 +0000
committerDawn LUCI CQ <dawn-scoped@luci-project-accounts.iam.gserviceaccount.com>Mon Sep 19 15:47:32 2022 +0000
tree084900f8831c50723118670397a11257edbcd12e
parent4f8ed34b94e89b9e5c87bfe8c95fd39d7943bedc [diff]
Fix out-of-bounds access in regex fuzzer

Fixes the regex fuzzer so that when searching for an operator to
replace, it takes account of the fact that the string being searched may
be very small, avoiding an issue where unsigned integer underflow would
occur.

Bug: crbug.com/1359193
Change-Id: I653a20429dc20385a64f8d684c81d023702458e6
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/102641
Kokoro: Kokoro <noreply+kokoro@google.com>
Auto-Submit: Alastair Donaldson <afdx@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>

diff --git a/src/tint/fuzzers/tint_regex_fuzzer/regex_fuzzer_tests.cc b/src/tint/fuzzers/tint_regex_fuzzer/regex_fuzzer_tests.cc
index fb1d508..b8e3288 100644
--- a/src/tint/fuzzers/tint_regex_fuzzer/regex_fuzzer_tests.cc
+++ b/src/tint/fuzzers/tint_regex_fuzzer/regex_fuzzer_tests.cc

@@ -545,6 +545,14 @@
     }
 }
 
+TEST(TestReplaceOperator, TestFindOperatorOccurrenceOnSmallStrings) {
+    RandomGenerator generator(0);
+    WgslMutatorTest mutator(generator);
+    ASSERT_FALSE(mutator.FindOperatorOccurrence("", 0).has_value());
+    ASSERT_FALSE(mutator.FindOperatorOccurrence(" ", 0).has_value());
+    ASSERT_FALSE(mutator.FindOperatorOccurrence("  ", 0).has_value());
+}
+
 TEST(TestInsertBreakOrContinue, TestLoopPositions1) {
     RandomGenerator generator(0);
     WgslMutatorTest mutator(generator);

diff --git a/src/tint/fuzzers/tint_regex_fuzzer/wgsl_mutator.cc b/src/tint/fuzzers/tint_regex_fuzzer/wgsl_mutator.cc
index 46db837..c5125a4 100644
--- a/src/tint/fuzzers/tint_regex_fuzzer/wgsl_mutator.cc
+++ b/src/tint/fuzzers/tint_regex_fuzzer/wgsl_mutator.cc

@@ -463,9 +463,9 @@
         // case where search has reached the end of the code string.
         char first_character = wgsl_code[current_index];
         char second_character =
-            current_index == wgsl_code.size() - 1 ? '\0' : wgsl_code[current_index + 1];
+            current_index + 1 == wgsl_code.size() ? '\0' : wgsl_code[current_index + 1];
         char third_character =
-            current_index >= wgsl_code.size() - 2 ? '\0' : wgsl_code[current_index + 2];
+            current_index + 2 >= wgsl_code.size() ? '\0' : wgsl_code[current_index + 2];
 
         // This uses the extracted characters to match for the various WGSL operators.
         switch (first_character) {