From 98ff271c5a3643a1cbbaf070896cf6a22a45c2c8 Mon Sep 17 00:00:00 2001
From: Rob Clark <robdclark@chromium.org>
Date: Wed, 30 Oct 2024 11:41:40 -0700
Subject: [PATCH] util/primconvert: Avoid OoB with improbable draws

Detect when the temporary index buffer cannot be generated due to too
large primitive count, and simply drop the draw on the floor.

Fixes a webgl reachable asan/crash.

Cc: mesa-stable
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/12092
Signed-off-by: Rob Clark <robdclark@chromium.org>
Reviewed-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Reviewed-By: Mike Blumenkrantz <michael.blumenkrantz@gmail.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/31914>
---
 src/gallium/auxiliary/indices/u_primconvert.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/gallium/auxiliary/indices/u_primconvert.c b/src/gallium/auxiliary/indices/u_primconvert.c
index fe0cdcf3ccd..876e35631e1 100644
--- a/src/gallium/auxiliary/indices/u_primconvert.c
+++ b/src/gallium/auxiliary/indices/u_primconvert.c
@@ -221,8 +221,13 @@ primconvert_init_draw(struct primconvert_context *pc,
    }
 
    /* (step 5: allocate gpu memory sized for the FINAL index count) */
-   u_upload_alloc(pc->pipe->stream_uploader, 0, new_info->index_size * new_draw->count, 4,
+   uint64_t new_size = (uint64_t)new_info->index_size * new_draw->count;
+   if (new_size > UINT_MAX)
+      return false;
+   u_upload_alloc(pc->pipe->stream_uploader, 0, new_size, 4,
                   &ib_offset, &new_info->index.resource, &dst);
+   if (!dst)
+      return false;
    new_draw->start = ib_offset / new_info->index_size;
    new_draw->index_bias = info->index_size ? draw.index_bias : 0;