mesa/bufferobj: ensure that very large width+offset are always rejected

In the case width+offset is triggering an integer overflow, the checks in place
are not working as the comparison will fail.

Cc: mesa-stable

Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Signed-off-by: Corentin Noël <corentin.noel@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/25909>
(cherry picked from commit e95c9b0515b85f65e00d47a152a881cc232a0d92)

2 files changed, 3 insertions, 3 deletions

diff --git a/.pick_status.json b/.pick_status.json
index 89ac320bd81..17675369b10 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -1384,7 +1384,7 @@
         "description": "mesa/bufferobj: ensure that very large width+offset are always rejected",
         "nominated": true,
         "nomination_type": 0,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": null,
         "notes": null
diff --git a/src/mesa/main/bufferobj.c b/src/mesa/main/bufferobj.c
index 64ed8024554..0e6e4760658 100644
--- a/src/mesa/main/bufferobj.c
+++ b/src/mesa/main/bufferobj.c
@@ -3373,14 +3373,14 @@ copy_buffer_sub_data(struct gl_context *ctx, struct gl_buffer_object *src,
       return;
    }
 
-   if (readOffset + size > src->Size) {
+   if (size > src->Size || readOffset > src->Size - size) {
       _mesa_error(ctx, GL_INVALID_VALUE,
                   "%s(readOffset %d + size %d > src_buffer_size %d)", func,
                   (int) readOffset, (int) size, (int) src->Size);
       return;
    }
 
-   if (writeOffset + size > dst->Size) {
+   if (size > dst->Size || writeOffset > dst->Size - size) {
       _mesa_error(ctx, GL_INVALID_VALUE,
                   "%s(writeOffset %d + size %d > dst_buffer_size %d)", func,
                   (int) writeOffset, (int) size, (int) dst->Size);