Fix sub-vec4 uniform heap-buffer-overflow (SetInt) (#1637)

## Summary

`NativeEngine::SetInt` passed only 1 float to `Program::SetUniform`, but
bgfx always reads 16 bytes (vec4) from uniform data via
`UniformBuffer::write`. This caused a heap-buffer-overflow detected by
AddressSanitizer.

## Changes

**Bug fix:**
- **NativeEngine.cpp**: `SetInt` now creates a `float[4]` (zero-padded)
matching the `SetFloatN` pattern
- **Program.h**: Added `bgfx::UniformType::Enum Type` to `UniformInfo`
for type-aware validation
- **Program.cpp**: Stores `info.type` from `bgfx::getUniformInfo`; adds
debug assert in `SetUniform` that verifies data size matches
`floatsPerElement * elementLength` (compiles away in release)

**Test:**
- **Tests.UniformPadding.cpp**: Exercises `setInt`, `setFloat`,
`setVector2`, `setVector3` + draw call

## Verification

PR #1636 (test-only, without the fix) confirmed both ASAN CI jobs fail:
- `MacOS_Sanitizers`: `heap-buffer-overflow` in `bx::memCopy` from
`Program::SetUniform` from `SetInt`
- `Win32_x64_D3D11_Sanitizers`: same trace

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: bghgary

Apps/UnitTests/CMakeLists.txt

@@ -20,6 +20,7 @@ set(SOURCES
     "Source/Tests.ExternalTexture.cpp"
     "Source/Tests.JavaScript.cpp"
     "Source/Tests.ShaderCache.cpp"
+    "Source/Tests.UniformPadding.cpp"
     "Source/Utils.h"
     "Source/Utils.${GRAPHICS_API}.${BABYLON_NATIVE_PLATFORM_IMPL_EXT}")
 

Apps/UnitTests/Source/Tests.UniformPadding.cpp

@@ -0,0 +1,106 @@
+#include <gtest/gtest.h>
+
+#include <Babylon/AppRuntime.h>
+#include <Babylon/Graphics/Device.h>
+#include <Babylon/Polyfills/Console.h>
+#include <Babylon/Polyfills/Window.h>
+#include <Babylon/Plugins/NativeEngine.h>
+#include <Babylon/ScriptLoader.h>
+
+#include <future>
+#include <iostream>
+
+extern Babylon::Graphics::Configuration g_deviceConfig;
+
+// Exercises all sub-vec4 uniform setter paths followed by a draw call to
+// verify that uniform data is padded to at least 16 bytes (vec4).
+// bgfx always reads 16 bytes from uniform storage, so anything smaller
+// causes a heap-buffer-overflow detectable by AddressSanitizer.
+//
+// Paths exercised:
+//   setInt    → NativeEngine::SetInt    → Program::SetUniform (1 float + 3 pad)
+//   setFloat  → NativeEngine::SetFloat  → SetFloatN<1>        (1 float + 3 pad)
+//   setVector2→ NativeEngine::SetFloat2 → SetFloatN<2>        (2 floats + 2 pad)
+//   setVector3→ NativeEngine::SetFloat3 → SetFloatN<3>        (3 floats + 1 pad)
+TEST(UniformPadding, SubVec4UniformsDoNotOverflow)
+{
+    Babylon::Graphics::Device device{g_deviceConfig};
+    Babylon::Graphics::DeviceUpdate update{device.GetUpdate("update")};
+
+    device.StartRenderingCurrentFrame();
+    update.Start();
+
+    std::promise<void> done{};
+
+    Babylon::AppRuntime::Options options{};
+    options.UnhandledExceptionHandler = [&done](const Napi::Error& error) {
+        std::cerr << "[Uncaught Error] " << Napi::GetErrorString(error) << std::endl;
+        done.set_exception(std::make_exception_ptr(std::exception{}));
+    };
+
+    Babylon::AppRuntime runtime{options};
+    runtime.Dispatch([&device](Napi::Env env) {
+        device.AddToJavaScript(env);
+
+        Babylon::Polyfills::Console::Initialize(env, [](const char* message, auto) {
+            std::cout << message << std::endl;
+        });
+        Babylon::Polyfills::Window::Initialize(env);
+        Babylon::Plugins::NativeEngine::Initialize(env);
+    });
+
+    Babylon::ScriptLoader loader{runtime};
+    loader.LoadScript("app:///Assets/babylon.max.js");
+
+    // Disable async shader compilation so shaders are ready immediately.
+    // Create a scene with a ShaderMaterial that declares int, float, vec2,
+    // and vec3 uniforms. Setting and rendering these exercises every sub-vec4
+    // code path through Program::SetUniform → DrawInternal → bgfx::setUniform.
+    loader.Eval(R"(
+        const engine = new BABYLON.NativeEngine();
+        engine.getCaps().parallelShaderCompile = null;
+        const scene = new BABYLON.Scene(engine);
+        scene.createDefaultCamera();
+        const sphere = BABYLON.MeshBuilder.CreateSphere("s", { diameter: 1 }, scene);
+        const mat = new BABYLON.ShaderMaterial("test", scene, {
+            vertexSource: `
+                attribute vec3 position;
+                uniform mat4 worldViewProjection;
+                void main() { gl_Position = worldViewProjection * vec4(position, 1.0); }
+            `,
+            fragmentSource: `
+                precision highp float;
+                uniform int testInt;
+                uniform float testFloat;
+                uniform vec2 testVec2;
+                uniform vec3 testVec3;
+                void main() {
+                    gl_FragColor = vec4(
+                        float(testInt) + testFloat + testVec2.x + testVec3.x,
+                        testVec2.y + testVec3.y,
+                        testVec3.z,
+                        1.0);
+                }
+            `
+        }, {
+            attributes: ["position"],
+            uniforms: ["worldViewProjection", "testInt", "testFloat", "testVec2", "testVec3"]
+        });
+        mat.setInt("testInt", 1);
+        mat.setFloat("testFloat", 2.0);
+        mat.setVector2("testVec2", new BABYLON.Vector2(3.0, 4.0));
+        mat.setVector3("testVec3", new BABYLON.Vector3(5.0, 6.0, 7.0));
+        sphere.material = mat;
+        scene.render();
+        if (!scene.isReady()) { throw new Error("Scene should be ready with synchronous shader compilation"); }
+    )", "uniform_padding_test.js");
+
+    loader.Dispatch([&done](Napi::Env) {
+        done.set_value();
+    });
+
+    done.get_future().get();
+
+    update.Finish();
+    device.FinishRenderingCurrentFrame();
+}

Plugins/NativeEngine/Source/NativeEngine.cpp

@@ -1115,8 +1115,8 @@ namespace Babylon
     void NativeEngine::SetInt(NativeDataStream::Reader& data)
     {
         const auto& uniformInfo{*data.ReadPointer<UniformInfo>()};
-        const auto value{static_cast<float>(data.ReadInt32())};
-        m_currentProgram->SetUniform(uniformInfo.Handle, gsl::make_span(&value, 1));
+        const float values[] = {static_cast<float>(data.ReadInt32()), 0.f, 0.f, 0.f};
+        m_currentProgram->SetUniform(uniformInfo.Handle, values);
     }
 
     template<int size, typename arrayType>

Plugins/NativeEngine/Source/Program.cpp

@@ -2,6 +2,8 @@
 
 #include <arcana/tracing/trace_region.h>
 
+#include <cassert>
+
 namespace
 {
     void InitUniformInfos(
@@ -21,7 +23,7 @@ namespace
             bgfx::getUniformInfo(uniforms[index], info);
             auto itStage = uniformStages.find(info.name);
             auto& handle = uniforms[index];
-            uniformInfos.emplace(std::make_pair(handle.idx, Babylon::UniformInfo{itStage == uniformStages.end() ? uint8_t{} : itStage->second, handle, info.num}));
+            uniformInfos.emplace(std::make_pair(handle.idx, Babylon::UniformInfo{itStage == uniformStages.end() ? uint8_t{} : itStage->second, handle, info.type, info.num}));
             uniformNameToIndex[info.name] = handleIndex;
         }
     }
@@ -95,6 +97,18 @@ namespace Babylon
         }
 
         value.Data.assign(data.begin(), data.end());
+
+        // bgfx reads a type-dependent number of floats per array element from uniform data.
+        // Must match bgfx g_uniformTypeSize (bgfx.cpp): Vec4=4, Mat3=9, Mat4=16.
+        assert((itUniformInfo == m_uniformInfos.end() || [&]() {
+            static_assert(bgfx::UniformType::Vec4 == 2 && bgfx::UniformType::Mat3 == 3 && bgfx::UniformType::Mat4 == 4);
+            const size_t FloatsPerElement[] = {4, 9, 16};
+            bgfx::UniformType::Enum type = itUniformInfo->second.Type;
+            return (type >= bgfx::UniformType::Vec4 && type <= bgfx::UniformType::Mat4)
+                       ? value.Data.size() == FloatsPerElement[type - bgfx::UniformType::Vec4] * elementLength
+                       : false;
+        }()));
+
         value.ElementLength = static_cast<uint16_t>(elementLength);
     }
 

Plugins/NativeEngine/Source/Program.h

@@ -17,15 +17,17 @@ namespace Babylon
 {
     struct UniformInfo final
     {
-        UniformInfo(uint8_t stage, bgfx::UniformHandle handle, size_t maxElementLength)
+        UniformInfo(uint8_t stage, bgfx::UniformHandle handle, bgfx::UniformType::Enum type, size_t maxElementLength)
             : Stage{stage}
             , Handle{handle}
+            , Type{type}
             , MaxElementLength{maxElementLength}
         {
         }
 
         uint8_t Stage{};
         bgfx::UniformHandle Handle{bgfx::kInvalidHandle};
+        bgfx::UniformType::Enum Type{bgfx::UniformType::Count};
         size_t MaxElementLength{};
     };