From 8d237b540887a449316364adc38cd84a707cf75a Mon Sep 17 00:00:00 2001
From: Caio Oliveira <caio.oliveira@intel.com>
Date: Tue, 12 May 2026 15:32:15 -0700
Subject: [PATCH] intel/executor: Add an overflow check for alloc function

Assisted-by: Pi coding agent (GPT-5.5)
Acked-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/41610>
---
 src/intel/executor/executor_main.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/intel/executor/executor_main.c b/src/intel/executor/executor_main.c
index c24322dbd7a..79cc913cbc4 100644
--- a/src/intel/executor/executor_main.c
+++ b/src/intel/executor/executor_main.c
@@ -348,12 +348,17 @@ executor_alloc_bytes(executor_bo *bo, uint32_t size)
 void *
 executor_alloc_bytes_aligned(executor_bo *bo, uint32_t size, uint32_t alignment)
 {
-   void *r = bo->cursor;
-   if (alignment) {
-      r = (void *)(((uintptr_t)r + alignment-1) & ~((uintptr_t)alignment-1));
-   }
-   bo->cursor = r + size;
-   return r;
+   uintptr_t r = (uintptr_t)bo->cursor;
+   if (alignment)
+      r = (r + alignment - 1) & ~((uintptr_t)alignment - 1);
+
+   uint64_t offset = r - (uintptr_t)bo->map;
+   if (offset > bo->size || size > bo->size - offset)
+      failf("executor BO overflow");
+
+   void *ptr = (void *)r;
+   bo->cursor = ptr + size;
+   return ptr;
 }
 
 executor_address