Fix out of bounds array or iterator accesses

baldurk · Oct 4, 2024 · 8f88f1d · 8f88f1d
1 parent cb1a292
commit 8f88f1d
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 8 deletions.
diff --git a/renderdoc/driver/gl/gl_shader_refl.cpp b/renderdoc/driver/gl/gl_shader_refl.cpp
@@ -800,7 +800,7 @@ void ReconstructVarTree(GLenum query, GLuint sepProg, GLuint varIdx, GLint numPa
   int32_t c = values[1] - 1;
 
   // trim off trailing [0] if it's an array
-  if(var.name[c - 3] == '[' && var.name[c - 2] == '0' && var.name[c - 1] == ']')
+  if(var.name.size() > 3 && var.name[c - 3] == '[' && var.name[c - 2] == '0' && var.name[c - 1] == ']')
     var.name.resize(c - 3);
   else
     var.type.elements = 1;

diff --git a/renderdoc/driver/shaders/dxbc/dxbc_container.cpp b/renderdoc/driver/shaders/dxbc/dxbc_container.cpp
@@ -2531,7 +2531,7 @@ float4 main(float3 input : INPUT) : SV_Target0
       }
     }
 
-    bool dwordLength[15] = {};
+    bool dwordLength[16] = {};
 
     for(rdcstr snippet : snippets)
     {

diff --git a/renderdoc/driver/shaders/dxil/llvm_bitwriter.h b/renderdoc/driver/shaders/dxil/llvm_bitwriter.h
@@ -223,11 +223,14 @@ class BitWriter
         // how many remaining bits are there in the next byte
         const size_t remainingBits = bufBitSize - 8;
 
-        buf++;
-        b = *buf;
-        // mask as necessary
-        if(remainingBits < 8)
-          b &= (1 << remainingBits) - 1;
+        if(remainingBits > 0)
+        {
+          buf++;
+          b = *buf;
+          // mask as necessary
+          if(remainingBits < 8)
+            b &= (1 << remainingBits) - 1;
+        }
       }
 
       bufBitSize -= 8;

diff --git a/renderdoc/driver/vulkan/vk_postvs.cpp b/renderdoc/driver/vulkan/vk_postvs.cpp
@@ -6393,6 +6393,9 @@ void VulkanReplay::InitPostVSBuffers(const rdcarray<uint32_t> &events)
     break;
   }
 
+  if(first >= events.size())
+    return;
+
   // first we must replay up to the first event without replaying it. This ensures any
   // non-command buffer calls like memory unmaps etc all happen correctly before this
   // command buffer

diff --git a/renderdoc/driver/vulkan/vk_shaderdebug.cpp b/renderdoc/driver/vulkan/vk_shaderdebug.cpp
@@ -1612,7 +1612,8 @@ class VulkanAPIWrapper : public rdcspv::DebugAPIWrapper
       // lower_bound puts us at the same or next item. Since we want the buffer that contains
       // this address, we go to the previous iter unless we're already on the first or
       // it's an exact match
-      if(address != it->first && it != m_Creation.m_BufferAddresses.begin())
+      if(it == m_Creation.m_BufferAddresses.end() ||
+         (address != it->first && it != m_Creation.m_BufferAddresses.begin()))
         it--;
       // use the index in the map as a unique buffer identifier that's not 64-bit
       bind.arrayElement = uint32_t(it - m_Creation.m_BufferAddresses.begin());
-Original file line number
+Diff line change
@@ Expand Up / @@ -2531,7 +2531,7 @@ float4 main(float3 input : INPUT) : SV_Target0 @@
           }
         }
-        bool dwordLength[15] = {};
+        bool dwordLength[16] = {};
         for(rdcstr snippet : snippets)
         {
@@ Expand Down @@