Fixed an OOB that potentially causes a crash (#6079)

While emitting diagnostic notes about conversions, the code for checking `OutConversions` was not included in the loop. This caused an OOB when `I >= NumConversions`. Normally, this does not affect anything (other than not emitting the diagnostics for `OutConversions`), since most of the time `OutConversions[I].isBad()` happens to return false. However, in some cases when `OutConversions[I].isBad()` is true, calling `DiagnoseBadConversion()` on the invalid entry will crash.
2023-11-29 17:01:41 -08:00 · 2023-11-29 17:01:41 -08:00 · fc0ecb83b5
--- a/tools/clang/lib/Sema/SemaOverload.cpp
+++ b/tools/clang/lib/Sema/SemaOverload.cpp
@ -9490,13 +9490,19 @@ static void NoteFunctionCandidate(Sema &S, OverloadCandidate *Cand,
    return S.NoteOverloadCandidate(Fn);

  case ovl_fail_bad_conversion: {
-    unsigned I = (Cand->IgnoreObjectArgument ? 1 : 0);
-    for (unsigned N = Cand->NumConversions; I != N; ++I)
-      if (Cand->Conversions[I].isInitialized() && Cand->Conversions[I].isBad()) // HLSL Change: check in and out, check out conversions
-        return DiagnoseBadConversion(S, Cand, I, Cand->Conversions[I], OpLoc); // HLSL Change: add OpLoc
-    if (Cand->OutConversions[I].isInitialized() && Cand->OutConversions[I].isBad()) // HLSL Change: check in and out, check out conversions
-      return DiagnoseBadConversion(S, Cand, I, Cand->OutConversions[I], OpLoc); // HLSL Change: add OpLoc
-
+    for (unsigned I = (Cand->IgnoreObjectArgument ? 1 : 0),
+                  N = Cand->NumConversions;
+         I != N; ++I) {
+      // HLSL Change: check in and out, check out conversions
+      if (Cand->Conversions[I].isInitialized() && Cand->Conversions[I].isBad())
+        return DiagnoseBadConversion(S, Cand, I, Cand->Conversions[I],
+                                     OpLoc); // HLSL Change: add OpLoc
+      // HLSL Change: check in and out, check out conversions
+      if (Cand->OutConversions[I].isInitialized() &&
+          Cand->OutConversions[I].isBad())
+        return DiagnoseBadConversion(S, Cand, I, Cand->OutConversions[I],
+                                     OpLoc); // HLSL Change: add OpLoc
+    }
    // FIXME: this currently happens when we're called from SemaInit
    // when user-conversion overload fails.  Figure out how to handle
    // those conditions and diagnose them well.