fix(core): validate start + size for buffer ops in more places

ErichDonGubler · ErichDonGubler · commit 23440e28f076 · 2026-02-11T15:53:01.000-05:00
diff --git a/wgpu-core/src/command/transfer.rs b/wgpu-core/src/command/transfer.rs
@@ -982,7 +982,14 @@ pub(super) fn copy_buffer_to_buffer(
     let dst_barrier = dst_pending.map(|pending| pending.into_hal(dst_buffer, state.snatch_guard));
 
     let (size, source_end_offset) = match size {
-        Some(size) => (size, source_offset + size),
+        Some(size) => {
+            if let Some(end) = source_offset.checked_add(size) {
+                (size, end)
+            } else {
+                // TODO: Is this the right error to report?
+                return Err(TransferError::SizeOverflow.into());
+            }
+        }
         None => (src_buffer.size - source_offset, src_buffer.size),
     };
 
diff --git a/wgpu-core/src/device/queue.rs b/wgpu-core/src/device/queue.rs
@@ -660,10 +660,13 @@ impl Queue {
         if !buffer_offset.is_multiple_of(wgt::COPY_BUFFER_ALIGNMENT) {
             return Err(TransferError::UnalignedBufferOffset(buffer_offset));
         }
-        if buffer_offset + buffer_size.get() > buffer.size {
+        let end_offset = buffer_offset
+            .checked_add(buffer_size.get())
+            .ok_or(TransferError::SizeOverflow)?;
+        if end_offset > buffer.size {
             return Err(TransferError::BufferOverrun {
                 start_offset: buffer_offset,
-                end_offset: buffer_offset + buffer_size.get(),
+                end_offset,
                 buffer_size: buffer.size,
                 side: CopySide::Destination,
             });
@@ -1609,10 +1612,14 @@ impl Global {
         let queue = self.hub.queues.get(queue_id);
         let buffer = self.hub.buffers.get(buffer_id).get()?;
 
+        let end_offset = buffer_offset
+            .checked_add(data.len() as u64)
+            .ok_or(TransferError::SizeOverflow)?;
+
         #[cfg(feature = "trace")]
         if let Some(ref mut trace) = *queue.device.trace.lock() {
             use crate::device::trace::DataKind;
-            let range = buffer_offset..buffer_offset + data.len() as u64;
+            let range = buffer_offset..end_offset;
             let data = trace.make_binary(DataKind::Bin, data);
             trace.add(Action::WriteBuffer {
                 id: buffer.to_trace(),
diff --git a/wgpu-core/src/resource.rs b/wgpu-core/src/resource.rs
@@ -301,6 +301,13 @@ pub enum BufferAccessError {
     MapAborted,
     #[error(transparent)]
     InvalidResource(#[from] InvalidResourceError),
+    #[error(
+        "Map end offset (start at {offset} + size of {size}) overflows unsigned 64-bit integer"
+    )]
+    MapEndOffsetOverflows {
+        offset: wgt::BufferAddress,
+        size: wgt::BufferAddress,
+    },
 }
 
 impl WebGpuError for BufferAccessError {
@@ -321,7 +328,8 @@ impl WebGpuError for BufferAccessError {
             | Self::OutOfBoundsUnderrun { .. }
             | Self::OutOfBoundsOverrun { .. }
             | Self::NegativeRange { .. }
-            | Self::MapAborted => return ErrorType::Validation,
+            | Self::MapAborted
+            | Self::MapEndOffsetOverflows { .. } => return ErrorType::Validation,
         };
         e.webgpu_error_type()
     }
@@ -592,7 +600,19 @@ impl Buffer {
             return Err((op, BufferAccessError::UnalignedRangeSize { range_size }));
         }
 
-        let range = offset..(offset + range_size);
+        let end_offset = match offset.checked_add(range_size) {
+            Some(some) => some,
+            None => {
+                return Err((
+                    op,
+                    BufferAccessError::MapEndOffsetOverflows {
+                        offset,
+                        size: range_size,
+                    },
+                ))
+            }
+        };
+        let range = offset..end_offset;
 
         if range.start % wgt::MAP_ALIGNMENT != 0 || range.end % wgt::COPY_BUFFER_ALIGNMENT != 0 {
             return Err((op, BufferAccessError::UnalignedRange));
@@ -702,10 +722,16 @@ impl Buffer {
         let map_state = &*self.map_state.lock();
         match *map_state {
             BufferMapState::Init { ref staging_buffer } => {
+                let mapping_end_offset = offset.checked_add(range_size).ok_or(
+                    BufferAccessError::MapEndOffsetOverflows {
+                        offset,
+                        size: range_size,
+                    },
+                )?;
                 // offset (u64) can not be < 0, so no need to validate the lower bound
-                if offset + range_size > self.size {
+                if mapping_end_offset > self.size {
                     return Err(BufferAccessError::OutOfBoundsOverrun {
-                        index: offset + range_size - 1,
+                        index: mapping_end_offset.checked_sub(1).unwrap(),
                         max: self.size,
                     });
                 }
