From e989acb03ba802737f762627dd16ac1d0b9f0d13 Mon Sep 17 00:00:00 2001
From: Francisco Jerez <currojerez@riseup.net>
Date: Fri, 16 Mar 2018 14:35:10 -0700
Subject: [PATCH] i965: Handle non-zero texture buffer offsets in buffer object
 range calculation.

Otherwise the specified surface state will allow the GPU to access
memory up to BufferOffset bytes past the end of the buffer.  Found by
inspection.

v2: Protect against out-of-range BufferOffset (Nanley).
Cc: mesa-stable@lists.freedesktop.org
Reviewed-by: Nanley Chery <nanley.g.chery@intel.com>
---
 src/mesa/drivers/dri/i965/brw_wm_surface_state.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/mesa/drivers/dri/i965/brw_wm_surface_state.c b/src/mesa/drivers/dri/i965/brw_wm_surface_state.c
index af629a17bfa..39e898243db 100644
--- a/src/mesa/drivers/dri/i965/brw_wm_surface_state.c
+++ b/src/mesa/drivers/dri/i965/brw_wm_surface_state.c
@@ -647,6 +647,7 @@ buffer_texture_range_size(struct brw_context *brw,
    const unsigned texel_size = _mesa_get_format_bytes(obj->_BufferObjectFormat);
    const unsigned buffer_size = (!obj->BufferObject ? 0 :
                                  obj->BufferObject->Size);
+   const unsigned buffer_offset = MIN2(buffer_size, obj->BufferOffset);
 
    /* The ARB_texture_buffer_specification says:
     *
@@ -664,7 +665,8 @@ buffer_texture_range_size(struct brw_context *brw,
     * so that when ISL divides by stride to obtain the number of texels, that
     * texel count is clamped to MAX_TEXTURE_BUFFER_SIZE.
     */
-   return MIN3((unsigned)obj->BufferSize, buffer_size,
+   return MIN3((unsigned)obj->BufferSize,
+               buffer_size - buffer_offset,
                brw->ctx.Const.MaxTextureBufferSize * texel_size);
 }