diff options
| author | Gangzheng Tong <tonggangzheng@gmail.com> | 2025-09-10 16:25:31 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-09-10 23:25:31 +0000 |
| commit | 8bcf6c443bbd24498e67ae54f06c2ad933421738 (patch) | |
| tree | efe4181a6f4824f9eb40c1b51716610f87bf40b3 /source | |
| parent | f3e26754c4b63fee419407752b771ecf0bb8ed5a (diff) | |
Fix segfault in SPIR-V header processing in SpirvInstructionHelper (#8428)
The `SpirvInstructionHelper::loadBlob()` method could segfault when
calling `m_headerWords.addRange()` if the SPIR-V blob contained
insufficient data for the required 5-word header.
To reproduce, run
```
./build/Debug/bin/slangc.exe tests/modules/environment.slang -o tests/modules/environment.slang-module -target spirv -separate-debug-info
(0): error 57004: output SPIR-V contains no exported symbols. Please make sure to specify at least one entrypoint.
Segmentation fault
```
The error is expected, but the `Segmentation fault` is not.
This PR adds the check to ensure the SPIR-V blob has at least
`SPV_INDEX_INSTRUCTION_START * sizeof(SpvWord)` bytes (20 bytes minimum)
before attempting to process the header words.
Related to: https://github.com/shader-slang/slang/issues/7547
Diffstat (limited to 'source')
| -rw-r--r-- | source/slang/slang-emit.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/source/slang/slang-emit.cpp b/source/slang/slang-emit.cpp index 31e6d17be..6725ac3de 100644 --- a/source/slang/slang-emit.cpp +++ b/source/slang/slang-emit.cpp @@ -2287,7 +2287,8 @@ public: { ComPtr<ISlangBlob> spirvBlob; SlangResult res = artifact->loadBlob(ArtifactKeep::Yes, spirvBlob.writeRef()); - if (SLANG_FAILED(res) || !spirvBlob) + if (SLANG_FAILED(res) || !spirvBlob || + spirvBlob->getBufferSize() < SPV_INDEX_INSTRUCTION_START * sizeof(SpvWord)) return SLANG_FAIL; // Populate the full array of SPIR-V words. |