From 4ae58a720e6f8d63ff5c74fd14f630137dfd0c0c Mon Sep 17 00:00:00 2001
From: ArielG-NV <159081215+ArielG-NV@users.noreply.github.com>
Date: Fri, 19 Jul 2024 14:52:25 -0400
Subject: [PATCH] Fix for invalid swizzle causing crash (#4690)

* Fix for invalid swizzle causing crash

Fixes #4689

If swizzle code is provided 5+ element swizzle the checkSwizzleExpr code will do an out of bounds array access and crash.

* switch test to check for to ensure no crash

* cleanup swizzle errors to only emit once

---------

Co-authored-by: Yong He <yonghe@outlook.com>
---
 source/slang/slang-check-expr.cpp      | 15 +++++++++++----
 tests/bugs/invalid-swizzle-count.slang | 11 +++++++++++
 2 files changed, 22 insertions(+), 4 deletions(-)
 create mode 100644 tests/bugs/invalid-swizzle-count.slang

diff --git a/source/slang/slang-check-expr.cpp b/source/slang/slang-check-expr.cpp
index f60ead1e95..fd03e5e87c 100644
--- a/source/slang/slang-check-expr.cpp
+++ b/source/slang/slang-check-expr.cpp
@@ -3743,9 +3743,8 @@ namespace Slang
             case 'w': case 'a': elementIndex = 3; break;
             default:
                 // An invalid character in the swizzle is an error
-                getSink()->diagnose(swizExpr, Diagnostics::invalidSwizzleExpr, swizzleText, baseElementType->toString());
                 anyError = true;
-                continue;
+                break;
             }
 
             // TODO(tfoley): GLSL requires that all component names
@@ -3754,9 +3753,16 @@ namespace Slang
             // Make sure the index is in range for the source type
             if (elementIndex >= limitElement)
             {
-                getSink()->diagnose(swizExpr, Diagnostics::invalidSwizzleExpr, swizzleText, baseElementType->toString());
                 anyError = true;
-                continue;
+                break;
+            }
+
+            // If elementCount is already at 4 stop trying to assign a swizzle element and send an error,
+            // we cannot have more valid swizzle elements than 4.
+            if (elementCount >= 4)
+            {
+                anyError = true;
+                break;
             }
 
             // Check if we've seen this index before
@@ -3778,6 +3784,7 @@ namespace Slang
 
         if (anyError)
         {
+            getSink()->diagnose(swizExpr, Diagnostics::invalidSwizzleExpr, swizzleText, baseElementType->toString());
             return CreateErrorExpr(memberRefExpr);
         }
         else if (elementCount == 1)
diff --git a/tests/bugs/invalid-swizzle-count.slang b/tests/bugs/invalid-swizzle-count.slang
new file mode 100644
index 0000000000..811cf6f444
--- /dev/null
+++ b/tests/bugs/invalid-swizzle-count.slang
@@ -0,0 +1,11 @@
+//TEST:SIMPLE(filecheck=CHECK): -target spirv -stage compute -entry computeMain -emit-spirv-directly
+// CHECK: error 30052
+// CHECK-NOT: error 30052
+RWStructuredBuffer<float> outputBuffer;
+
+[numthreads(1,1,1)]
+void computeMain( uint2 dispatchThreadID : SV_DispatchThreadID )
+{
+    float4 vecVal = float4(0);
+    outputBuffer[0] = vecVal.xxtyxx;
+}