Validate Uniform variable limits with each iteration

VariablePacker would loop over all variables and sum up the total row counts before validating. Each variable can take hundreds of rows so it is possible to overflow the counters before validating them. Validate the limits with each iteration and early-out when the limits are exceeded. https://bugzilla.mozilla.org/show_bug.cgi?id=1864587 Bug: chromium:1864587 Change-Id: Ic235ada1516a0d5a9948d82b22f6316a037c09ca Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5106408 Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org> Auto-Submit: Geoff Lang <geofflang@chromium.org> Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
mozilla · Jan 2, 2024 · ddaf44a · ddaf44a
1 parent 6784271
commit ddaf44a
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 12 deletions.
diff --git a/src/compiler/translator/VariablePacker.cpp b/src/compiler/translator/VariablePacker.cpp
@@ -239,11 +239,10 @@ bool VariablePacker::checkExpandedVariablesWithinPackingLimits(
             break;
         }
         topNonFullRow_ += GetVariablePackingRows(variable);
-    }
-
-    if (topNonFullRow_ > maxRows_)
-    {
-        return false;
+        if (topNonFullRow_ > maxRows_)
+        {
+            return false;
+        }
     }
 
     // Packs the 3 column variables.
@@ -255,12 +254,12 @@ bool VariablePacker::checkExpandedVariablesWithinPackingLimits(
         {
             break;
         }
-        num3ColumnRows += GetVariablePackingRows(variable);
-    }
 
-    if (topNonFullRow_ + num3ColumnRows > maxRows_)
-    {
-        return false;
+        num3ColumnRows += GetVariablePackingRows(variable);
+        if (topNonFullRow_ + num3ColumnRows > maxRows_)
+        {
+            return false;
+        }
     }
 
     fillColumns(topNonFullRow_, num3ColumnRows, 0, 3);

diff --git a/src/tests/gl_tests/GLSLTest.cpp b/src/tests/gl_tests/GLSLTest.cpp
@@ -8717,6 +8717,45 @@ void main() {
     EXPECT_PIXEL_COLOR_EQ(0, 0, GLColor::green);
 }
 
+// Test that packing of excessive 3-column variables does not overflow the count of 3-column
+// variables in VariablePacker
+TEST_P(WebGL2GLSLTest, ExcessiveMat3UniformPacking)
+{
+    std::ostringstream srcStream;
+
+    srcStream << "#version 300 es\n";
+    srcStream << "precision mediump float;\n";
+    srcStream << "out vec4 finalColor;\n";
+    srcStream << "in vec4 color;\n";
+    srcStream << "uniform mat4 r[254];\n";
+
+    srcStream << "uniform mat3 ";
+    constexpr size_t kNumUniforms = 10000;
+    for (size_t i = 0; i < kNumUniforms; ++i)
+    {
+        if (i > 0)
+        {
+            srcStream << ", ";
+        }
+        srcStream << "m3a_" << i << "[256]";
+    }
+    srcStream << ";\n";
+
+    srcStream << "void main(void) { finalColor = color; }\n";
+    std::string src = std::move(srcStream).str();
+
+    GLuint shader = glCreateShader(GL_VERTEX_SHADER);
+
+    const char *sourceArray[1] = {src.c_str()};
+    GLint lengths[1]           = {static_cast<GLint>(src.length())};
+    glShaderSource(shader, 1, sourceArray, lengths);
+    glCompileShader(shader);
+
+    GLint compileResult;
+    glGetShaderiv(shader, GL_COMPILE_STATUS, &compileResult);
+    EXPECT_EQ(compileResult, 0);
+}
+
 // Test that a varying with a flat qualifier that is used as an operand of a folded ternary operator
 // is handled correctly.
 TEST_P(GLSLTest_ES3, FlatVaryingUsedInFoldedTernary)
@@ -15967,7 +16006,7 @@ TEST_P(GLSLTest_ES3, MonomorphizeForAndContinue)
 
     constexpr char kFS[] =
         R"(#version 300 es
-        
+
         precision mediump float;
         out vec4 fragOut;
         struct aParam
@@ -15994,7 +16033,7 @@ TEST_P(GLSLTest_ES3, MonomorphizeForAndContinue)
         void main()
         {
             fragOut.a = monomorphizedFunction(theParam);
-        }        
+        }
 )";
     CompileShader(GL_FRAGMENT_SHADER, kFS);
     ASSERT_GL_NO_ERROR();