From 7f240ff038e649a4a63d6a720744e0a15e6ca484 Mon Sep 17 00:00:00 2001
From: Mike Blumenkrantz <michael.blumenkrantz@gmail.com>
Date: Thu, 30 Apr 2026 11:07:12 -0400
Subject: [PATCH] lavapipe: fix indirect memory copies

this was using the wrong size for the copy

cc: mesa-stable

(cherry picked from commit 87764963f25c51248406d400c8935228b19d4347)

Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/41402>
---
 .pick_status.json                            | 2 +-
 src/gallium/frontends/lavapipe/lvp_execute.c | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.pick_status.json b/.pick_status.json
index d4eba9ce7ee..f37e175c3d9 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -1674,7 +1674,7 @@
         "description": "lavapipe: fix indirect memory copies",
         "nominated": true,
         "nomination_type": 1,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": null,
         "notes": null
diff --git a/src/gallium/frontends/lavapipe/lvp_execute.c b/src/gallium/frontends/lavapipe/lvp_execute.c
index c231157e2d6..ebc97a3c2c3 100644
--- a/src/gallium/frontends/lavapipe/lvp_execute.c
+++ b/src/gallium/frontends/lavapipe/lvp_execute.c
@@ -2543,16 +2543,18 @@ static void handle_copy_memory_indirect(struct vk_cmd_queue_entry *cmd,
 {
    const VkCopyMemoryIndirectInfoKHR *copycmd = cmd->u.copy_memory_indirect_khr.copy_memory_indirect_info;
 
+   uint8_t *base = (uint8_t*)(uintptr_t)copycmd->copyAddressRange.address;
    for (uint32_t i = 0; i < copycmd->copyCount; i++) {
-      uint8_t *ptr = (void*)(uintptr_t)copycmd->copyAddressRange.address;
-      VkCopyMemoryIndirectCommandKHR *copy = (void*)(ptr + i * copycmd->copyAddressRange.stride);
+      if (i * copycmd->copyAddressRange.stride > copycmd->copyAddressRange.size)
+         break;
+      VkCopyMemoryIndirectCommandKHR *copy = (void*)(base + i * copycmd->copyAddressRange.stride);
       void *src = (void*)(uintptr_t)copy->srcAddress;
       void *dst = (void*)(uintptr_t)copy->dstAddress;
       /* Techincally apps passing in size of zero still need valid pointers,
        * but in case they don't (which is easy to do) we don't want undefined behavior (or crash) in memcpy.
        */
       if (copy->size != 0)
-         memcpy(dst, src, copycmd->copyAddressRange.size);
+         memcpy(dst, src, copy->size);
    }
 }