[Backport] CVE-2023-2136: Integer overflow in Skia (2/2)

Cherry-pick of patch originally reviewed on
https://skia-review.googlesource.com/c/skia/+/673577:
Enforce size limits on struct and array declarations.

M108 merge issues:
  resources/sksl/BUILD.bazel:
    File doesn't exist in M108, tests are added manually to gn/sksl_tests.gni.

  gn/sksl_tests.gni:
    Conflicting rts entries

  tests/sksl/shared/Ossfuzz37900.*
    Not present in 108, skipped.

  src/sksl/ir/SkSLType.cpp:
    - Conflicting includes
    - MakeStructType():
      - Conflicting function signature
      - context isn't a parameter, used ThreadContext::Context() directly.

This improves error reporting by more clearly attaching the error
message to the oversized type.

Bug: chromium:1432603
Change-Id: I26511f08aff22072cf4913abf7be2c49940a732c
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/671377
Commit-Queue: John Stiles <[email protected]>
(cherry picked from commit 1cbd33ecd73523f8d4bf88e9c5576303b39e5556)
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/673577
Reviewed-by: John Stiles <[email protected]>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474619
Reviewed-by: Allan Sandfeld Jensen <[email protected]>

Author: johnstiles-google

chromium/third_party/skia/src/sksl/dsl/DSLType.cpp

@@ -266,7 +266,7 @@ DSLExpression DSLType::Construct(DSLType type, SkSpan<DSLExpression> argArray) {
 
 DSLType Array(const DSLType& base, int count, Position pos) {
     count = base.skslType().convertArraySize(ThreadContext::Context(), pos,
-            DSLExpression(count, pos).release());
+                                             DSLExpression(count, pos).release());
     if (!count) {
         return DSLType(kPoison_Type);
     }
@@ -278,7 +278,7 @@ DSLType UnsizedArray(const DSLType& base, Position pos) {
         return DSLType(kPoison_Type);
     }
     return ThreadContext::SymbolTable()->addArrayDimension(&base.skslType(),
-            SkSL::Type::kUnsizedArray);
+                                                           SkSL::Type::kUnsizedArray);
 }
 
 DSLType Struct(std::string_view name, SkSpan<DSLField> fields, Position pos) {

chromium/third_party/skia/src/sksl/ir/SkSLType.cpp

@@ -12,10 +12,12 @@
 #include "include/private/SkTFitsIn.h"
 #include "include/sksl/SkSLErrorReporter.h"
 #include "src/core/SkMathPriv.h"
+#include "src/core/SkSafeMath.h"
 #include "src/sksl/SkSLBuiltinTypes.h"
 #include "src/sksl/SkSLConstantFolder.h"
 #include "src/sksl/SkSLContext.h"
 #include "src/sksl/SkSLProgramSettings.h"
+#include "src/sksl/SkSLThreadContext.h"
 #include "src/sksl/ir/SkSLConstructorArrayCast.h"
 #include "src/sksl/ir/SkSLConstructorCompoundCast.h"
 #include "src/sksl/ir/SkSLConstructorScalarCast.h"
@@ -648,6 +650,17 @@ std::unique_ptr<Type> Type::MakeScalarType(std::string_view name, const char* ab
 
 std::unique_ptr<Type> Type::MakeStructType(Position pos, std::string_view name,
                                            std::vector<Field> fields, bool interfaceBlock) {
+    size_t slots = 0;
+    for (const Field& field : fields) {
+        if (field.fType->isUnsizedArray()) {
+            continue;
+        }
+        slots = SkSafeMath::Add(slots, field.fType->slotCount());
+        if (slots >= kVariableSlotLimit) {
+            ThreadContext::Context().fErrors->error(pos, "struct is too large");
+            break;
+        }
+    }
     return std::make_unique<StructType>(pos, name, std::move(fields), interfaceBlock);
 }
 
@@ -1120,8 +1133,9 @@ bool Type::checkIfUsableInArray(const Context& context, Position arrayPos) const
     return true;
 }
 
-SKSL_INT Type::convertArraySize(const Context& context, Position arrayPos,
-        std::unique_ptr<Expression> size) const {
+SKSL_INT Type::convertArraySize(const Context& context,
+                                Position arrayPos,
+                                std::unique_ptr<Expression> size) const {
     size = context.fTypes.fInt->coerceExpression(std::move(size), context);
     if (!size) {
         return 0;
@@ -1138,7 +1152,7 @@ SKSL_INT Type::convertArraySize(const Context& context, Position arrayPos,
         context.fErrors->error(size->fPosition, "array size must be positive");
         return 0;
     }
-    if (!SkTFitsIn<int32_t>(count)) {
+    if (SkSafeMath::Mul(this->slotCount(), count) > kVariableSlotLimit) {
         context.fErrors->error(size->fPosition, "array size is too large");
         return 0;
     }