From ff2601ffec1ee1c7201bcbcb349c50080d7cce95 Mon Sep 17 00:00:00 2001
From: Eric Anholt <eric@anholt.net>
Date: Wed, 30 Dec 2020 12:51:04 -0800
Subject: [PATCH] softpipe: Sanity check that the SSBO view offset is within
 the BO.

If we're going to check that the size matches, we should consider the
buffer offset too.  I haven't tracked down any testcases doing this, but
it seems obviously correct.

Reviewed-by: Dave Airlie <airlied@redhat.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8276>
---
 src/gallium/drivers/softpipe/sp_buffer.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/gallium/drivers/softpipe/sp_buffer.c b/src/gallium/drivers/softpipe/sp_buffer.c
index fdc21b9..ce79417 100644
--- a/src/gallium/drivers/softpipe/sp_buffer.c
+++ b/src/gallium/drivers/softpipe/sp_buffer.c
@@ -40,8 +40,11 @@ sp_tgsi_ssbo_lookup(const struct tgsi_buffer *buffer,
 
    struct pipe_shader_buffer *bview = &sp_buf->sp_bview[unit];
    /* Sanity check the view size is within our buffer. */
-   if (!bview->buffer || bview->buffer_size > bview->buffer->width0)
+   if (!bview->buffer ||
+       bview->buffer_offset > bview->buffer->width0 ||
+       bview->buffer_size > bview->buffer->width0 - bview->buffer_offset) {
       return NULL;
+   }
 
    struct softpipe_resource *spr = softpipe_resource(bview->buffer);
    *size = bview->buffer_size;
-- 
2.7.4