From 07d2ab29b68770e30c75e85feb128b138f13d00d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Ol=C5=A1=C3=A1k?= <marek.olsak@amd.com>
Date: Fri, 21 Nov 2025 20:27:49 -0500
Subject: [PATCH] st/mesa: disallow the PBO upload fragment shader

It passes image_size to the shader as int32_t.

Reviewed-by: Qiang Yu <yuq825@gmail.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/38587>
---
 src/mesa/state_tracker/st_pbo.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/mesa/state_tracker/st_pbo.c b/src/mesa/state_tracker/st_pbo.c
index cf41a624a30..2f3a55279a3 100644
--- a/src/mesa/state_tracker/st_pbo.c
+++ b/src/mesa/state_tracker/st_pbo.c
@@ -57,6 +57,10 @@ st_pbo_addresses_setup(struct st_context *st,
 {
    unsigned skip_pixels;
 
+   /* image_size is int32_t */
+   if ((size_t)addr->pixels_per_row * addr->image_height > INT32_MAX)
+      return false;
+
    /* Check alignment against texture buffer requirements. */
    {
       unsigned ofs = (buf_offset * addr->bytes_per_pixel) % st->ctx->Const.TextureBufferOffsetAlignment;