From c9040f482e5ce3f57c344b193f3279db05b7a8a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Corentin=20No=C3=ABl?= Date: Thu, 26 Oct 2023 12:11:16 +0200 Subject: [PATCH] mesa/bufferobj: ensure that very large width+offset are always rejected MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the case width+offset is triggering an integer overflow, the checks in place are not working as the comparison will fail. Cc: mesa-stable Reviewed-by: Marek Olšák Signed-off-by: Corentin Noël Part-of: (cherry picked from commit e95c9b0515b85f65e00d47a152a881cc232a0d92) --- .pick_status.json | 2 +- src/mesa/main/bufferobj.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index 89ac320bd81..17675369b10 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -1384,7 +1384,7 @@ "description": "mesa/bufferobj: ensure that very large width+offset are always rejected", "nominated": true, "nomination_type": 0, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": null, "notes": null diff --git a/src/mesa/main/bufferobj.c b/src/mesa/main/bufferobj.c index 64ed8024554..0e6e4760658 100644 --- a/src/mesa/main/bufferobj.c +++ b/src/mesa/main/bufferobj.c @@ -3373,14 +3373,14 @@ copy_buffer_sub_data(struct gl_context *ctx, struct gl_buffer_object *src, return; } - if (readOffset + size > src->Size) { + if (size > src->Size || readOffset > src->Size - size) { _mesa_error(ctx, GL_INVALID_VALUE, "%s(readOffset %d + size %d > src_buffer_size %d)", func, (int) readOffset, (int) size, (int) src->Size); return; } - if (writeOffset + size > dst->Size) { + if (size > dst->Size || writeOffset > dst->Size - size) { _mesa_error(ctx, GL_INVALID_VALUE, "%s(writeOffset %d + size %d > dst_buffer_size %d)", func, (int) writeOffset, (int) size, (int) dst->Size);