radeonsi: verify buffer_offset value before using it

This buffer_ofset can come directly from the application (e.g: when using
glVertexAttribPointer) and can contain an invalid value.

st_atom_array already makes sure that if it's not negative so all that's left
is to verify that it's smaller that the buffer size.

Bugs related to this issue:

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105251#c52
Bugzilla: https://bugzilla.freedesktop.org/show_bug.cgi?id=109693
Signed-off-by: Marek Olšák <marek.olsak@amd.com>

diff --git a/src/gallium/drivers/radeonsi/si_descriptors.c b/src/gallium/drivers/radeonsi/si_descriptors.c
index ca58ec6577cacfbe137e8d24f82b25bb4a2192d4..f7bd589e6d368a0ac57878f433f8c5e2a9d2f4aa 100644 (file)
--- a/src/gallium/drivers/radeonsi/si_descriptors.c
+++ b/src/gallium/drivers/radeonsi/si_descriptors.c
@@ -1160,6 +1160,13 @@ bool si_upload_vertex_buffer_descriptors(struct si_context *sctx)
 
                int64_t offset = (int64_t)((int)vb->buffer_offset) +
                                 velems->src_offset[i];
+
+               if (offset >= buf->b.b.width0) {
+                       assert(offset < buf->b.b.width0);
+                       memset(desc, 0, 16);
+                       continue;
+               }
+
                uint64_t va = buf->gpu_address + offset;
 
                int64_t num_records = (int64_t)buf->b.b.width0 - offset;