[vulkan] Fix heap buffer overflow in Vulkan extension handling discovered by ASAN (halide#7740)

Fix heap buffer overflow in Vulkan extension handling discovered by ASAN

Co-authored-by: Derek Gerstmann <dgerstmann@adobe.com>

Author: 2 people

src/runtime/internal/string_table.h

@@ -28,7 +28,7 @@ class StringTable {
     void clear(void *user_context);
 
     // fills the contents of the table (copies strings from given array)
-    void fill(void *user_context, const char **array, size_t coun);
+    void fill(void *user_context, const char **array, size_t count);
 
     // assign the entry at given index the given string
     void assign(void *user_context, size_t index, const char *str, size_t length = 0);  // if length is zero, strlen is used
@@ -88,9 +88,10 @@ StringTable::~StringTable() {
 
 void StringTable::resize(void *user_context, size_t capacity) {
     pointers.resize(user_context, capacity);
-    while (contents.size() < capacity) {
+    contents.resize(user_context, capacity);
+    for (size_t n = 0; n < contents.size(); ++n) {
         StringStorage *storage_ptr = StringStorage::create(user_context, contents.current_allocator());
-        contents.append(user_context, storage_ptr);
+        contents.assign(user_context, n, storage_ptr);
     }
 }
 

src/runtime/vulkan_context.h

@@ -312,13 +312,13 @@ int vk_create_device(void *user_context, const StringTable &requested_layers, Vk
     }
 
     debug(user_context) << "  found " << (uint32_t)required_device_extensions.size() << " required extensions for device!\n";
-    for (int n = 0; n < (int)required_device_extensions.size(); ++n) {
+    for (uint32_t n = 0; n < required_device_extensions.size(); ++n) {
         debug(user_context) << "   required extension: " << required_device_extensions[n] << "\n";
     }
 
     // enable all available optional extensions
     debug(user_context) << "  checking for " << (uint32_t)optional_device_extensions.size() << " optional extensions for device ...\n";
-    for (int n = 0; n < (int)optional_device_extensions.size(); ++n) {
+    for (uint32_t n = 0; n < optional_device_extensions.size(); ++n) {
         if (supported_device_extensions.contains(optional_device_extensions[n])) {
             debug(user_context) << "   optional extension: " << optional_device_extensions[n] << "\n";
             required_device_extensions.append(user_context, optional_device_extensions[n]);

src/runtime/vulkan_extensions.h

@@ -153,9 +153,10 @@ uint32_t vk_get_supported_instance_extensions(void *user_context, StringTable &e
         return 0;
     }
 
+    debug(user_context) << "Vulkan: Checking vkEnumerateInstanceExtensionProperties for extensions ...\n";
+
     uint32_t avail_ext_count = 0;
     vkEnumerateInstanceExtensionProperties(nullptr, &avail_ext_count, nullptr);
-    debug(user_context) << "Vulkan: vkEnumerateInstanceExtensionProperties found  " << avail_ext_count << " extensions ...\n";
 
     if (avail_ext_count) {
         BlockStorage::Config config;
@@ -170,7 +171,7 @@ uint32_t vk_get_supported_instance_extensions(void *user_context, StringTable &e
 
         for (uint32_t n = 0; n < avail_ext_count; ++n) {
             const VkExtensionProperties *properties = static_cast<const VkExtensionProperties *>(extension_properties[n]);
-            debug(user_context) << "    extension: " << properties->extensionName << "\n";
+            debug(user_context) << "    [" << n << "]: " << properties->extensionName << "\n";
         }
 
         ext_table.resize(user_context, avail_ext_count);
@@ -179,7 +180,7 @@ uint32_t vk_get_supported_instance_extensions(void *user_context, StringTable &e
             ext_table.assign(user_context, n, properties->extensionName);
         }
     }
-
+    debug(user_context) << "Vulkan: vkEnumerateInstanceExtensionProperties found  " << avail_ext_count << " extensions ...\n";
     return avail_ext_count;
 }
 
@@ -197,11 +198,7 @@ uint32_t vk_get_optional_device_extensions(void *user_context, StringTable &ext_
         "VK_KHR_shader_float16_int8",
         "VK_KHR_shader_float_controls"};
     const uint32_t optional_ext_count = sizeof(optional_ext_table) / sizeof(optional_ext_table[0]);
-
-    ext_table.resize(user_context, optional_ext_count);
-    for (uint32_t n = 0; n < optional_ext_count; ++n) {
-        ext_table.assign(user_context, n, optional_ext_table[n]);
-    }
+    ext_table.fill(user_context, (const char **)optional_ext_table, optional_ext_count);
     return optional_ext_count;
 }
 
@@ -212,10 +209,10 @@ uint32_t vk_get_supported_device_extensions(void *user_context, VkPhysicalDevice
         return 0;
     }
 
+    debug(user_context) << "Vulkan: Checking vkEnumerateDeviceExtensionProperties for extensions ...\n";
+
     uint32_t avail_ext_count = 0;
     vkEnumerateDeviceExtensionProperties(physical_device, nullptr, &avail_ext_count, nullptr);
-    debug(user_context) << "Vulkan: vkEnumerateDeviceExtensionProperties found  " << avail_ext_count << " extensions ...\n";
-
     if (avail_ext_count > 0) {
         BlockStorage::Config config;
         config.entry_size = sizeof(VkExtensionProperties);
@@ -229,7 +226,7 @@ uint32_t vk_get_supported_device_extensions(void *user_context, VkPhysicalDevice
 
         for (uint32_t n = 0; n < avail_ext_count; ++n) {
             const VkExtensionProperties *properties = static_cast<const VkExtensionProperties *>(extension_properties[n]);
-            debug(user_context) << "    extension: " << properties->extensionName << "\n";
+            debug(user_context) << "    [" << n << "]: " << properties->extensionName << "\n";
         }
 
         ext_table.resize(user_context, avail_ext_count);
@@ -239,17 +236,19 @@ uint32_t vk_get_supported_device_extensions(void *user_context, VkPhysicalDevice
         }
     }
 
+    debug(user_context) << "Vulkan: vkEnumerateDeviceExtensionProperties found  " << avail_ext_count << " extensions ...\n";
     return avail_ext_count;
 }
 
 bool vk_validate_required_extension_support(void *user_context,
                                             const StringTable &required_extensions,
                                             const StringTable &supported_extensions) {
+    debug(user_context) << "Vulkan: Validating " << uint32_t(required_extensions.size()) << " extensions ...\n";
     bool validated = true;
     for (uint32_t n = 0; n < required_extensions.size(); ++n) {
         const char *extension = required_extensions[n];
         if (!supported_extensions.contains(extension)) {
-            debug(user_context) << "Vulkan: Missing required extension: '" << extension << "'! \n";
+            debug(user_context) << "Vulkan: Missing required extension: '" << extension << "'!\n";
             validated = false;
         }
     }