mesa/bufferobj: ensure that very large width+offset are always rejected

In the case width+offset is triggering an integer overflow, the checks in place are not working as the comparison will fail. Cc: mesa-stable Reviewed-by: Marek Olšák <marek.olsak@amd.com> Signed-off-by: Corentin Noël <corentin.noel@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25909> (cherry picked from commit e95c9b0515)
2023-10-26 12:11:16 +02:00
parent e3bef4dfa3
commit c9040f482e
2 changed files with 3 additions and 3 deletions
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -1384,7 +1384,7 @@
        "description": "mesa/bufferobj: ensure that very large width+offset are always rejected",
        "nominated": true,
        "nomination_type": 0,
-        "resolution": 0,
+        "resolution": 1,
        "main_sha": null,
        "because_sha": null,
        "notes": null
--- a/src/mesa/main/bufferobj.c
+++ b/src/mesa/main/bufferobj.c
@@ -3373,14 +3373,14 @@ copy_buffer_sub_data(struct gl_context *ctx, struct gl_buffer_object *src,
      return;
   }
-   if (readOffset + size > src->Size) {
+   if (size > src->Size || readOffset > src->Size - size) {
      _mesa_error(ctx, GL_INVALID_VALUE,
                  "%s(readOffset %d + size %d > src_buffer_size %d)", func,
                  (int) readOffset, (int) size, (int) src->Size);
      return;
   }
-   if (writeOffset + size > dst->Size) {
+   if (size > dst->Size || writeOffset > dst->Size - size) {
      _mesa_error(ctx, GL_INVALID_VALUE,
                  "%s(writeOffset %d + size %d > dst_buffer_size %d)", func,
                  (int) writeOffset, (int) size, (int) dst->Size);