NeroReflex/mesa
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

mesa/bufferobj: ensure that very large width+offset are always rejected

Browse source 
In the case width+offset is triggering an integer overflow, the checks in place
are not working as the comparison will fail.

Cc: mesa-stable

Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Signed-off-by: Corentin Noël <corentin.noel@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25909>
This commit is contained in:
Corentin Noël 2023-10-26 12:11:16 +02:00 committed by Marge Bot
parent 4f8a225387
commit e95c9b0515
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/mesa/main/bufferobj.c
View file

@ -3373,14 +3373,14 @@ copy_buffer_sub_data(struct gl_context *ctx, struct gl_buffer_object *src,
return;
}
if (readOffset + size > src->Size) {
if (size > src->Size || readOffset > src->Size - size) {
_mesa_error(ctx, GL_INVALID_VALUE,
"%s(readOffset %d + size %d > src_buffer_size %d)", func,
(int) readOffset, (int) size, (int) src->Size);
return;
}
if (writeOffset + size > dst->Size) {
if (size > dst->Size || writeOffset > dst->Size - size) {
_mesa_error(ctx, GL_INVALID_VALUE,
"%s(writeOffset %d + size %d > dst_buffer_size %d)", func,
(int) writeOffset, (int) size, (int) dst->Size);