Module: Mesa Branch: main Commit: e95c9b0515b85f65e00d47a152a881cc232a0d92 URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=e95c9b0515b85f65e00d47a152a881cc232a0d92
Author: Corentin Noël <[email protected]> Date: Thu Oct 26 12:11:16 2023 +0200 mesa/bufferobj: ensure that very large width+offset are always rejected In the case width+offset is triggering an integer overflow, the checks in place are not working as the comparison will fail. Cc: mesa-stable Reviewed-by: Marek Olšák <[email protected]> Signed-off-by: Corentin Noël <[email protected]> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25909> --- src/mesa/main/bufferobj.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mesa/main/bufferobj.c b/src/mesa/main/bufferobj.c index 64ed8024554..0e6e4760658 100644 --- a/src/mesa/main/bufferobj.c +++ b/src/mesa/main/bufferobj.c @@ -3373,14 +3373,14 @@ copy_buffer_sub_data(struct gl_context *ctx, struct gl_buffer_object *src, return; } - if (readOffset + size > src->Size) { + if (size > src->Size || readOffset > src->Size - size) { _mesa_error(ctx, GL_INVALID_VALUE, "%s(readOffset %d + size %d > src_buffer_size %d)", func, (int) readOffset, (int) size, (int) src->Size); return; } - if (writeOffset + size > dst->Size) { + if (size > dst->Size || writeOffset > dst->Size - size) { _mesa_error(ctx, GL_INVALID_VALUE, "%s(writeOffset %d + size %d > dst_buffer_size %d)", func, (int) writeOffset, (int) size, (int) dst->Size);
