Re: [PATCH 0/6] MR259: vkd3d-shader/dxil: Read the DXIL module.

29 Jun 2023


      Giovanni Mascellani (@giomasce) commented about libs/vkd3d-shader/dxil.c:
...

               WARN("Missing operands for function type %u.\n", type_index);


               return VKD3D_ERROR_INVALID_SHADER;


           }


           if (record->operands[0])


               FIXME("Unhandled vararg function type %u.\n", type_index);


           type->class = TYPE_CLASS_FUNCTION;


           if ((type_id = record->operands[1]) >= type_count)


           {


               WARN("Invalid return type id %"PRIu64" for type %u.\n", type_id, type_index);


               return VKD3D_ERROR_INVALID_SHADER;


           }


           count = record->operand_count - 2;


           if (!(type->u.function = vkd3d_malloc(offsetof(struct sm6_function_info, param_types[count]))))


I know this is a standard pattern, but it just occurred to me that this could overflow, and I doubt `offsetof()` is protected against that. So in theory, at least for 32 bit builds, I guess this could be a security issue. This also happens for structures.
-- 
https://gitlab.winehq.org/wine/vkd3d/-/merge_requests/259#note_37318

2025

2024

2023

2022

Re: [PATCH 0/6] MR259: vkd3d-shader/dxil: Read the DXIL module.