Fix CVE-2025-3010: Null pointer dereference in isConversionAllowed

[cnDelbert]

Added a null check for 'node' in TIntermediate::isConversionAllowed to prevent a null pointer dereference when processing malformed HLSL conditional expressions.

This addresses the vulnerability reported in CVE-2025-3010 where a crafted shader could cause a crash due to missing validation before accessing node->getBasicType().

References:

• CVE-2025-3010
• NULL Pointer Dereference in glslang::TIntermediate::isConversionAllowed #3903

[CLAassistant]

All committers have signed the CLA.

[arcady-lunarg]

You will need to add your test to one of the lists of tests in gtests/Hlsl.FromFile.cpp and generate an expected test result using build/gtests/glslangtests --update-mode

[cnDelbert]

@arcady-lunarg I have added the test case to gtests/Hlsl.FromFile.cpp and generated the expected output file Test/baseResults/hlsl.cve-2025-3010.frag.out using the compiled validator. The PR has been updated with these changes.

[pmistryNV]

Seems like ToSpirv/HlslCompileTest.FromFile/hlsl_cve_2025_3010_frag is failing. Can you please check? Let me know if you need help with upstreaming

[dnovillo]

The golden output generated starts with Test\. It should not have the path, just the shader name. That seems to be the failure you're getting.

[dnovillo]

This seems like it's papering over the issue. The HLSL frontend is generating a nil node and passing it down. While this prevents the crash, it will silently supresses a potential semantic error. Where is this nil pointer generated? That is probably the spot to fix.

[dnovillo]

This file seems like a valid HLSL shader? The CVE should produce a nil TIntermTyped*. Do you have the original invalid shader?

[cnDelbert]

@sae-as-me Would you please help to fix or provide some shader examples?