Khronos Group glslang Null Pointer Dereference Vulnerability in Version 15.1.0

A null pointer dereference vulnerability has been identified in Khronos Group glslang version 15.1.0. The issue arises in the function 'glslang::TIntermediate::isConversionAllowed' within 'glslang/MachineIndependent/Intermediate.cpp'. This vulnerability occurs when the function processes certain files, leading to a potential application crash. The problem stems from the function failing to validate a pointer before accessing its data, resulting in a read of a null pointer, which typically causes a segmentation fault and application termination.

Impact

Exploitation of this vulnerability leads to a segmentation fault, causing a crash of the application. This behavior is consistent with the typical impact of null pointer dereference vulnerabilities, where the application attempts to read or write memory at an invalid address, often resulting in a crash or undefined behavior.

Reproduction

The vulnerability can be reproduced by compiling the glslang repository with AddressSanitizer enabled, which will catch memory access errors. After building glslang with the appropriate flags, the 'glslang::TIntermediate::isConversionAllowed' function can be called with a crafted input that triggers the null pointer dereference. This can be done using a fuzzer, such as the one included in the OSS-Fuzz project, which automates the process of sending random data to the function and monitoring for crashes.