Null-dereference READ in spirv_cross::Compiler::parse |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4815353429098496 Fuzzer: afl_dawn_spirv_cross_glsl_fast_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: spirv_cross::Compiler::parse spirv_cross::Compiler::parse spirv_cross::CompilerGLSL::CompilerGLSL Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=609745:609757 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4815353429098496 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Nov 21
Automatically assigning owner based on suspected regression changelist https://dawn.googlesource.com/dawn/+/fbeca676d409ec19572e3299288f4010c2ee8fd5 (Tighten when signal trap is used in SPIRV-Cross fuzzers). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Nov 21
,
Nov 21
This is being caused because the generated case is declaring an OpTypeInt with too few operands. Currently the parser does not catch this, so attempts to read data that doesn't exist. spirv-val catches this as malformed, so adding the validator before the parser, https://github.com/KhronosGroup/SPIRV-Cross/issues/766, should fix this issue. Once this has been landed and rolled in I will take another look at this. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Nov 21Labels: ClusterFuzz-Auto-CC