fix(core)!: validate set_immediate's values_offset param.

Author: ErichDonGubler

CHANGELOG.md

@@ -227,6 +227,7 @@ By @kpreid in [#9042](https://github.com/gfx-rs/wgpu/pull/9042).
   - `ImmediateUploadError`:
     - Removed the `TooLarge` variant in favor of new `StartOffsetOverrun` and `EndOffsetOverrun` variants.
     - Removed the `Unaligned` variant in favor of new `StartOffsetUnaligned` and `SizeUnaligned` variants.
+    - Added the `ValueStartIndexOverrun` and `ValueEndIndexOverrun` invariants
 - The various "max resources per stage" limits are now capped at 100, so that their total remains below `max_bindings_per_bind_group`, as required by WebGPU. By @andyleiserson in [#9118](https://github.com/gfx-rs/wgpu/pull/9118).
 - The `max_uniform_buffer_binding_size` and `max_storage_buffer_binding_size` limits are now `u64` instead of `u32`, to match WebGPU. By @wingertge in [#9146](https://github.com/gfx-rs/wgpu/pull/9146).
 - The main 3 native backends now report their limits properly. By @teoxoy in [#9196](https://github.com/gfx-rs/wgpu/pull/9196).

wgpu-core/src/binding_model.rs

@@ -889,6 +889,20 @@ pub enum ImmediateUploadError {
         size: u32,
         immediate_size: u32,
     },
+    #[error("Start index {start_index} overruns the value data range with {data_size} element(s)")]
+    ValueStartIndexOverrun { start_index: u32, data_size: usize },
+    #[error(
+        "Start index {} + count of {} overruns the value data range \
+        with {} element(s)",
+        start_index,
+        count,
+        data_size
+    )]
+    ValueEndIndexOverrun {
+        start_index: u32,
+        count: u32,
+        data_size: usize,
+    },
 }
 
 impl WebGpuError for ImmediateUploadError {

wgpu-core/src/command/pass.rs

@@ -240,8 +240,30 @@ where
 
     pipeline_layout.validate_immediates_ranges(offset, size_bytes)?;
 
-    let values_end_offset = (values_offset + size_bytes / wgt::IMMEDIATE_DATA_ALIGNMENT) as usize;
-    let data_slice = &immediates_data[(values_offset as usize)..values_end_offset];
+    let values_offset_usize = values_offset as usize;
+    if values_offset_usize > immediates_data.len() {
+        return Err(ImmediateUploadError::ValueStartIndexOverrun {
+            start_index: values_offset,
+            data_size: immediates_data.len(),
+        }
+        .into());
+    }
+
+    // NOTE: The `validate_immediates_ranges` call above validates `size_bytes` is aligned.
+    let size_immediate_elements = size_bytes / wgt::IMMEDIATE_DATA_ALIGNMENT;
+    let size_immediate_elements_usize = size_immediate_elements as usize;
+    if size_immediate_elements_usize > immediates_data.len() - values_offset_usize {
+        return Err(ImmediateUploadError::ValueEndIndexOverrun {
+            start_index: values_offset,
+            count: size_immediate_elements,
+            data_size: immediates_data.len(),
+        }
+        .into());
+    }
+
+    // NOTE: These additions are will not overflow, because we've validated the range above.
+    let values_end_offset = values_offset_usize + size_immediate_elements_usize;
+    let data_slice = &immediates_data[(values_offset_usize)..values_end_offset];
 
     f(data_slice);