Harden uniform array index parsing.

Add overflow handling when parsing uniform variables. BUG=angleproject:2191 TEST=angle_unittests Change-Id: Ib2a69be1cc11a94420bc923a2aaaef8dc664d562 Reviewed-on: https://chromium-review.googlesource.com/756209Reviewed-by: Bryan Bernhart <bryan.bernhart@intel.com> Reviewed-by: Olli Etuaho <oetuaho@nvidia.com> Commit-Queue: Olli Etuaho <oetuaho@nvidia.com>

Harden uniform array index parsing.
f4f293ef · Bryan Bernhart (Intel Americas Inc) · Commit Bot · ff7aac5e · f4f293ef · f4f293ef
Commit f4f293ef authored Nov 06, 2017 by Bryan Bernhart (Intel Americas Inc) Committed by Commit Bot Nov 14, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 5 deletions

utilities.cpp src/common/utilities.cpp +12 -5

utilities_unittest.cpp src/common/utilities_unittest.cpp +9 -0

No files found.
--- a/src/common/utilities.cpp
+++ b/src/common/utilities.cpp
@@ -773,7 +773,6 @@ std::string ParseResourceName(const std::string &name, std::vector<unsigned int>
 unsigned int ParseArrayIndex(const std::string &name, size_t *nameLengthWithoutArrayIndexOut)
 {
    ASSERT(nameLengthWithoutArrayIndexOut != nullptr);
-    unsigned int subscript = GL_INVALID_INDEX;

    // Strip any trailing array operator and retrieve the subscript
    size_t open = name.find_last_of('[');
@@ -790,14 +789,22 @@ unsigned int ParseArrayIndex(const std::string &name, size_t *nameLengthWithoutA
        }
        if (indexIsValidDecimalNumber)
        {
-            subscript                       = atoi(name.c_str() + open + 1);
-            *nameLengthWithoutArrayIndexOut = open;
-            return subscript;
+            errno = 0;  // reset global error flag.
+            unsigned long subscript =
+                strtoul(name.c_str() + open + 1, /*endptr*/ nullptr, /*radix*/ 10);
+
+            // Check if resulting integer is out-of-range or conversion error.
+            if ((subscript <= static_cast<unsigned long>(UINT_MAX)) &&
+                !(subscript == ULONG_MAX && errno == ERANGE) && !(errno != 0 && subscript == 0))
+            {
+                *nameLengthWithoutArrayIndexOut = open;
+                return static_cast<unsigned int>(subscript);
+            }
        }
    }

    *nameLengthWithoutArrayIndexOut = name.length();
-    return subscript;
+    return GL_INVALID_INDEX;
 }

 const char *GetGenericErrorMessage(GLenum error)

--- a/src/common/utilities_unittest.cpp
+++ b/src/common/utilities_unittest.cpp
@@ -168,4 +168,13 @@ TEST(ParseArrayIndex, ArrayIndexBogus)
    EXPECT_EQ(11u, nameLengthWithoutArrayIndex);
 }

+// Verify that using an index value out-of-range fails.
+TEST(ParseArrayIndex, ArrayIndexOutOfRange)
+{
+    size_t nameLengthWithoutArrayIndex;
+    EXPECT_EQ(GL_INVALID_INDEX,
+              gl::ParseArrayIndex("foo[4294967296]", &nameLengthWithoutArrayIndex));
+    EXPECT_EQ(15u, nameLengthWithoutArrayIndex);
+}
+
 }  // anonymous namespace