Fix segfault in SPIR-V header processing in SpirvInstructionHelper (#8428)

gtong-nv · web-flow · commit 8bcf6c443bbd · 2025-09-10T23:25:31.000Z
The `SpirvInstructionHelper::loadBlob()` method could segfault when calling `m_headerWords.addRange()` if the SPIR-V blob contained insufficient data for the required 5-word header. To reproduce, run ``` ./build/Debug/bin/slangc.exe tests/modules/environment.slang -o tests/modules/environment.slang-module -target spirv -separate-debug-info (0): error 57004: output SPIR-V contains no exported symbols. Please make sure to specify at least one entrypoint. Segmentation fault ``` The error is expected, but the `Segmentation fault` is not. This PR adds the check to ensure the SPIR-V blob has at least `SPV_INDEX_INSTRUCTION_START * sizeof(SpvWord)` bytes (20 bytes minimum) before attempting to process the header words. Related to: #7547
diff --git a/source/slang/slang-emit.cpp b/source/slang/slang-emit.cpp
@@ -2287,7 +2287,8 @@ class SpirvInstructionHelper
     {
         ComPtr<ISlangBlob> spirvBlob;
         SlangResult res = artifact->loadBlob(ArtifactKeep::Yes, spirvBlob.writeRef());
-        if (SLANG_FAILED(res) || !spirvBlob)
+        if (SLANG_FAILED(res) || !spirvBlob ||
+            spirvBlob->getBufferSize() < SPV_INDEX_INSTRUCTION_START * sizeof(SpvWord))
             return SLANG_FAIL;
 
         // Populate the full array of SPIR-V words.

Original file line number	Diff line number	Diff line change
`@@ -2287,7 +2287,8 @@ class SpirvInstructionHelper`
`2287`	`2287`	`{`
`2288`	`2288`	`ComPtr<ISlangBlob> spirvBlob;`
`2289`	`2289`	`SlangResult res = artifact->loadBlob(ArtifactKeep::Yes, spirvBlob.writeRef());`
`2290`		`- if (SLANG_FAILED(res) \|\| !spirvBlob)`
	`2290`	`+ if (SLANG_FAILED(res) \|\| !spirvBlob \|\|`
	`2291`	`+ spirvBlob->getBufferSize() < SPV_INDEX_INSTRUCTION_START * sizeof(SpvWord))`
`2291`	`2292`	`return SLANG_FAIL;`
`2292`	`2293`
`2293`	`2294`	`// Populate the full array of SPIR-V words.`