Giovanni Mascellani (@giomasce) commented about libs/vkd3d-shader/dxil.c:
+ WARN("Missing operands for function type %u.\n", type_index); + return VKD3D_ERROR_INVALID_SHADER; + } + if (record->operands[0]) + FIXME("Unhandled vararg function type %u.\n", type_index); + + type->class = TYPE_CLASS_FUNCTION; + + if ((type_id = record->operands[1]) >= type_count) + { + WARN("Invalid return type id %"PRIu64" for type %u.\n", type_id, type_index); + return VKD3D_ERROR_INVALID_SHADER; + } + + count = record->operand_count - 2; + if (!(type->u.function = vkd3d_malloc(offsetof(struct sm6_function_info, param_types[count])))) I know this is a standard pattern, but it just occurred to me that this could overflow, and I doubt `offsetof()` is protected against that. So in theory, at least for 32 bit builds, I guess this could be a security issue. This also happens for structures.
-- https://gitlab.winehq.org/wine/vkd3d/-/merge_requests/259#note_37318