Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WGSL front end crashes on malformed input #90

Closed
GabrielMajeri opened this issue Jul 1, 2020 · 0 comments · Fixed by #95
Closed

WGSL front end crashes on malformed input #90

GabrielMajeri opened this issue Jul 1, 2020 · 0 comments · Fixed by #95
Labels
area: front-end Input formats for conversion help wanted Extra attention is needed kind: bug Something isn't working lang: WGSL WebGPU shading language

Comments

@GabrielMajeri
Copy link
Contributor

Minimal reproduction: feed the WGSL parser the following string:

"\"\u{2}ПЀ\u{0}\""

Leads to the following panic in wgsl::lex::consume_token:

thread '<unnamed>' panicked at 'byte index 4 is not a char boundary; it is inside 'Ѐ' (bytes 3..5) of `ПЀ"`', /home/gabriel/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/str/mod.rs:1987:47
stack backtrace:
   0: backtrace::backtrace::libunwind::trace
             at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.46/src/backtrace/libunwind.rs:86
   1: backtrace::backtrace::trace_unsynchronized
             at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.46/src/backtrace/mod.rs:66
   2: std::sys_common::backtrace::_print_fmt
             at src/libstd/sys_common/backtrace.rs:78
   3: <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt
             at src/libstd/sys_common/backtrace.rs:59
   4: core::fmt::write
             at src/libcore/fmt/mod.rs:1076
   5: std::io::Write::write_fmt
             at src/libstd/io/mod.rs:1537
   6: std::sys_common::backtrace::_print
             at src/libstd/sys_common/backtrace.rs:62
   7: std::sys_common::backtrace::print
             at src/libstd/sys_common/backtrace.rs:49
   8: std::panicking::default_hook::{{closure}}
             at src/libstd/panicking.rs:198
   9: std::panicking::default_hook
             at src/libstd/panicking.rs:217
  10: libfuzzer_sys::initialize::{{closure}}
  11: std::panicking::rust_panic_with_hook
             at src/libstd/panicking.rs:524
  12: rust_begin_unwind
             at src/libstd/panicking.rs:431
  13: core::panicking::panic_fmt
             at src/libcore/panicking.rs:85
  14: core::str::slice_error_fail
             at src/libcore/str/mod.rs:0
  15: core::str::traits::<impl core::slice::SliceIndex<str> for core::ops::range::RangeTo<usize>>::index::{{closure}}
  16: naga::front::wgsl::lex::consume_token
  17: naga::front::wgsl::Parser::parse_global_decl
  18: naga::front::wgsl::Parser::parse
  19: rust_fuzzer_test_input
  20: __rust_try
  21: LLVMFuzzerTestOneInput
  22: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
  23: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
  24: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
  25: main
  26: __libc_start_main
  27: _start

The panic is likely from this indexing here:

(Token::String(&base[..len]), chars.as_str())

@kvark kvark added area: front-end Input formats for conversion help wanted Extra attention is needed kind: bug Something isn't working lang: WGSL WebGPU shading language labels Jul 1, 2020
@kvark kvark closed this as completed in #95 Jul 3, 2020
kvark pushed a commit that referenced this issue Jul 3, 2020
Until now the WGSL parser would interpret a character index as a byte index.
This could lead to a panic on invalid input strings like "\"\u{2}ПЀ\u{0}\"",
because it would use that index to slice a string without ensuring the slicing
happens on a character boundary.

One possible fix would have been to call `str::find` instead of `position`,
however by relying on `splitn` instead of slicing a str manually it is
easier to convince ourselves that this code can no longer panic.

Fixes #90
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area: front-end Input formats for conversion help wanted Extra attention is needed kind: bug Something isn't working lang: WGSL WebGPU shading language
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants