Giovanni Mascellani (@giomasce) commented about libs/vkd3d-shader/dxil.c:
+{ + const struct sm6_type *type, *pointee_type; + unsigned int i, elem_idx, operand_idx = 2; + enum bitcode_address_space addr_space; + struct vkd3d_shader_register *reg; + struct sm6_value *operands[2]; + struct sm6_value *elem_value; + const struct sm6_value *src; + bool is_in_bounds; + size_t operand; + + if (!(type = sm6_parser_get_type(sm6, record->operands[1])) + || !(src = sm6_parser_get_value_by_ref(sm6, record, NULL, &operand_idx)) + || !sm6_value_validate_is_register(src, sm6) + || !sm6_value_validate_is_pointer(src, sm6) + || !dxil_record_validate_operand_min_count(record, operand_idx + 2, sm6)) It seems the first reference to `operands[1]` is not guarded by any validation.
-- https://gitlab.winehq.org/wine/vkd3d/-/merge_requests/471#note_52555