[Backport] CVE-2024-7532: Out of bounds memory access in ANGLE (1/2)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/5735815:
Prune switch(constant) with no matching case

Bug: chromium:350528343
Change-Id: Iabb475b230f22086de482bbdcf2fa00b0d986622
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5735815
Auto-Submit: Shahbaz Youssefi <[email protected]>
Commit-Queue: Geoff Lang <[email protected]>
Reviewed-by: Geoff Lang <[email protected]>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/582140
Reviewed-by: Allan Sandfeld Jensen <[email protected]>

Author: ShabbyX

chromium/third_party/angle/src/compiler/translator/tree_ops/PruneNoOps.cpp

@@ -3,14 +3,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
-// PruneNoOps.cpp: The PruneNoOps function prunes:
-//   1. Empty declarations "int;". Empty declarators will be pruned as well, so for example:
-//        int , a;
-//      is turned into
-//        int a;
-//   2. Literal statements: "1.0;". The ESSL output doesn't define a default precision for float,
-//      so float literal statements would end up with no precision which is invalid ESSL.
-//   3. Statements after discard, return, break and continue.
+// PruneNoOps.cpp: The PruneNoOps function prunes no-op statements.
 
 #include "compiler/translator/tree_ops/PruneNoOps.h"
 
@@ -22,6 +15,67 @@ namespace sh
 
 namespace
 {
+uint32_t GetSwitchConstantAsUInt(const TConstantUnion *value)
+{
+    TConstantUnion asUInt;
+    if (value->getType() == EbtYuvCscStandardEXT)
+    {
+        asUInt.setUConst(value->getYuvCscStandardEXTConst());
+    }
+    else
+    {
+        bool valid = asUInt.cast(EbtUInt, *value);
+        ASSERT(valid);
+    }
+    return asUInt.getUConst();
+}
+
+bool IsNoOpSwitch(TIntermSwitch *node)
+{
+    if (node == nullptr)
+    {
+        return false;
+    }
+
+    TIntermConstantUnion *expr = node->getInit()->getAsConstantUnion();
+    if (expr == nullptr)
+    {
+        return false;
+    }
+
+    const uint32_t exprValue = GetSwitchConstantAsUInt(expr->getConstantValue());
+
+    // See if any block matches the constant value
+    const TIntermSequence &statements = *node->getStatementList()->getSequence();
+
+    for (TIntermNode *statement : statements)
+    {
+        TIntermCase *caseLabel = statement->getAsCaseNode();
+        if (caseLabel == nullptr)
+        {
+            continue;
+        }
+
+        // Default matches everything, consider it not a no-op.
+        if (!caseLabel->hasCondition())
+        {
+            return false;
+        }
+
+        TIntermConstantUnion *condition = caseLabel->getCondition()->getAsConstantUnion();
+        ASSERT(condition != nullptr);
+
+        // If any case matches the value, it's not a no-op.
+        const uint32_t caseValue = GetSwitchConstantAsUInt(condition->getConstantValue());
+        if (caseValue == exprValue)
+        {
+            return false;
+        }
+    }
+
+    // No case matched the constant value the switch was used on, so the entire switch is a no-op.
+    return true;
+}
 
 bool IsNoOp(TIntermNode *node)
 {
@@ -32,6 +86,11 @@ bool IsNoOp(TIntermNode *node)
         return true;
     }
 
+    if (IsNoOpSwitch(node->getAsSwitchNode()))
+    {
+        return true;
+    }
+
     if (node->getAsTyped() == nullptr || node->getAsFunctionPrototypeNode() != nullptr)
     {
         return false;

chromium/third_party/angle/src/compiler/translator/tree_ops/PruneNoOps.h

@@ -11,6 +11,7 @@
 //   2. Literal statements: "1.0;". The ESSL output doesn't define a default precision for float,
 //      so float literal statements would end up with no precision which is invalid ESSL.
 //   3. Statements after discard, return, break and continue.
+//   4. Switch statements over a constant, where no case matches the constant
 
 #ifndef COMPILER_TRANSLATOR_TREEOPS_PRUNENOOPS_H_
 #define COMPILER_TRANSLATOR_TREEOPS_PRUNENOOPS_H_