6a1a98c313 - platform/external/skia

commit	6a1a98c313bfbe24fa140b3ccba0af23676d5bea	[log] [tgz]
author	John Stiles <johnstiles@google.com>	Thu Jan 14 18:35:34 2021 -0500
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	Fri Jan 15 15:11:00 2021 +0000
tree	0319b18c7b9cdbfd16444d5204a92d61ea8e5cbc
parent	5878ecef2f6a20ca409cc997e7befcf05e5d431f [diff]

Fix for fuzzer-discovered use-after-free.

The inliner discovered that when a binary expression is inlined, its
type is not cloned into the destination's SymbolTable. This meant that
when the inlined-from function was later dead-stripped, the type pointer
would become dangling. Did a quick pass over inlineExpression and
inlineStatement and ensured that types are always copied.

Also found that `copy_if_needed` was making a copy of eligible types
each time one was encountered, instead of making one copy and reusing
it. This is fixed as well.

Change-Id: Iee3259ab038dfb04034bf0110af1909ccffec3de
Bug: oss-fuzz:29444
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/354219
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: John Stiles <johnstiles@google.com>

gn/sksl_tests.gni[diff]
src/sksl/SkSLInliner.cpp[diff]
src/sksl/ir/SkSLSymbolTable.h[diff]
tests/sksl/shared/Ossfuzz29444.sksl[Added - diff]
tests/sksl/shared/golden/Ossfuzz29444.asm.frag[Added - diff]
tests/sksl/shared/golden/Ossfuzz29444.glsl[Added - diff]
tests/sksl/shared/golden/Ossfuzz29444.metal[Added - diff]

7 files changed