From 3664bd5670d95cde15a04b58cc1c4ab96f5b6e47 Mon Sep 17 00:00:00 2001 From: David Neto Date: Wed, 23 Dec 2015 13:21:43 -0500 Subject: [PATCH] Fix parser assert failure for a bad OpSwitch Emit a diagnostic if the OpSwitch selector refers to an ID that is valid but has no type. Discovered by afl-fuzz. --- source/binary.cpp | 5 +++-- test/BinaryParse.cpp | 7 +++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/source/binary.cpp b/source/binary.cpp index 533fe7f..99cf30f 100755 --- a/source/binary.cpp +++ b/source/binary.cpp @@ -555,8 +555,9 @@ spv_result_t Parser::parseOperand(size_t inst_offset, // The literal operands have the same type as the value // referenced by the selector Id. const uint32_t selector_id = peekAt(inst_offset + 1); - auto type_id_iter = _.id_to_type_id.find(selector_id); - if (type_id_iter == _.id_to_type_id.end()) { + const auto type_id_iter = _.id_to_type_id.find(selector_id); + if (type_id_iter == _.id_to_type_id.end() || + type_id_iter->second == 0) { return diagnostic() << "Invalid OpSwitch: selector id " << selector_id << " has no type"; } diff --git a/test/BinaryParse.cpp b/test/BinaryParse.cpp index 1c6f237..2aacf47 100644 --- a/test/BinaryParse.cpp +++ b/test/BinaryParse.cpp @@ -628,9 +628,16 @@ INSTANTIATE_TEST_CASE_P( MakeInstruction(SpvOpExtInst, {2, 3, 100, 4, 5})}), "OpExtInst set Id 100 does not reference an OpExtInstImport result " "Id"}, + // In this case, the OpSwitch selector refers to an invalid ID. {Concatenate({ExpectedHeaderForBound(3), MakeInstruction(SpvOpSwitch, {1, 2, 42, 3})}), "Invalid OpSwitch: selector id 1 has no type"}, + // In this case, the OpSwitch selector refers to an ID that has + // no type. + {Concatenate({ExpectedHeaderForBound(3), + MakeInstruction(SpvOpLabel, {1}), + MakeInstruction(SpvOpSwitch, {1, 2, 42, 3})}), + "Invalid OpSwitch: selector id 1 has no type"}, {Concatenate({ExpectedHeaderForBound(3), MakeInstruction(SpvOpTypeInt, {1, 32, 0}), MakeInstruction(SpvOpSwitch, {1, 3, 42, 3})}), -- 2.7.4