Add array bounds checks for WebGL shaders

WebGL shaders may contain OOB array accesses which in turn cause undefined behavior, which may result in security issues. This was detected as an UNKNOWN READ by UBSAN while testing with SwANGLE. Bug: chromium:1189110 Change-Id: I00f56e771ed0c675abb465fc3a3dc9d62ea8ed51 Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/2892286Reviewed-by: Geoff Lang <geofflang@chromium.org> Reviewed-by: Jamie Madill <jmadill@chromium.org> Commit-Queue: Alexis Hétu <sugoi@chromium.org>

Add array bounds checks for WebGL shaders
b0d39ba2 · Alexis Hetu · Commit Bot · 9809122d · b0d39ba2
Commit b0d39ba2 authored May 12, 2021 by Alexis Hetu Committed by Commit Bot May 13, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

ShaderVk.cpp src/libANGLE/renderer/vulkan/ShaderVk.cpp +4 -0

No files found.
--- a/src/libANGLE/renderer/vulkan/ShaderVk.cpp
+++ b/src/libANGLE/renderer/vulkan/ShaderVk.cpp
@@ -37,6 +37,10 @@ std::shared_ptr<WaitableCompileEvent> ShaderVk::compile(const gl::Context *conte
        // Extra initialization in spirv shader may affect performance.
        compileOptions |= SH_INITIALIZE_UNINITIALIZED_LOCALS;
+        // WebGL shaders may contain OOB array accesses which in turn cause undefined behavior,
+        // which may result in security issues. See https://crbug.com/1189110.
+        compileOptions |= SH_CLAMP_INDIRECT_ARRAY_BOUNDS;
        if (mState.getShaderType() != gl::ShaderType::Compute)
        {
            compileOptions |= SH_INIT_OUTPUT_VARIABLES;