From 94aaf917dca13453e2b8adf7c3c086d2b1de6ecb Mon Sep 17 00:00:00 2001
From: Nicolas Silva <nical@fastmail.com>
Date: Wed, 3 Aug 2022 12:18:48 +0200
Subject: [PATCH 1/2] Validate that map_async's range is not negative.

map_async already checks that the range's end is within the bounds of the buffer, so this also ensures the range start is within bounds.
---
 wgpu-core/src/device/mod.rs | 14 +++++++++++---
 wgpu-core/src/resource.rs   |  5 +++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/wgpu-core/src/device/mod.rs b/wgpu-core/src/device/mod.rs
index 895d7e068f..b3d8247ee4 100644
--- a/wgpu-core/src/device/mod.rs
+++ b/wgpu-core/src/device/mod.rs
@@ -5403,9 +5403,8 @@ impl<G: GlobalIdentityHandlerFactory> Global<G> {
                     BufferMapAsyncStatus::InvalidAlignment
                 }
                 &BufferAccessError::OutOfBoundsUnderrun { .. }
-                | &BufferAccessError::OutOfBoundsOverrun { .. } => {
-                    BufferMapAsyncStatus::InvalidRange
-                }
+                | &BufferAccessError::OutOfBoundsOverrun { .. }
+                | &BufferAccessError::NegativeRange { .. } => BufferMapAsyncStatus::InvalidRange,
                 _ => BufferMapAsyncStatus::Error,
             };
 
@@ -5456,6 +5455,15 @@ impl<G: GlobalIdentityHandlerFactory> Global<G> {
                 return Err((op, e.into()));
             }
 
+            if range.start > range.end {
+                return Err((
+                    op,
+                    BufferAccessError::NegativeRange {
+                        start: range.start,
+                        end: range.end,
+                    },
+                ));
+            }
             if range.end > buffer.size {
                 return Err((
                     op,
diff --git a/wgpu-core/src/resource.rs b/wgpu-core/src/resource.rs
index 07a7086ff1..0c574d7665 100644
--- a/wgpu-core/src/resource.rs
+++ b/wgpu-core/src/resource.rs
@@ -173,6 +173,11 @@ pub enum BufferAccessError {
         index: wgt::BufferAddress,
         max: wgt::BufferAddress,
     },
+    #[error("buffer map range start {start} is greater than end {end}")]
+    NegativeRange {
+        start: wgt::BufferAddress,
+        end: wgt::BufferAddress,
+    },
 }
 
 pub(crate) struct BufferPendingMapping {

From ddc35810776d0396e60d3a883f5096bb7f00b400 Mon Sep 17 00:00:00 2001
From: Nicolas Silva <nical@fastmail.com>
Date: Wed, 3 Aug 2022 12:29:31 +0200
Subject: [PATCH 2/2] Add an entry in the changelog.

---
 CHANGELOG.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bb358915dd..96b17ed250 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -104,7 +104,8 @@ the same every time it is rendered, we now warn if it is missing.
 - Fix bugs when mapping/unmapping zero-sized buffers and ranges by @nical in [#2877](https://github.com/gfx-rs/wgpu/pull/2877)
 - Fix out-of-bound write in `map_buffer` with non-zero offset by @nical in [#2916](https://github.com/gfx-rs/wgpu/pull/2916)
 - Validate the number of color attachments in `create_render_pipeline` by @nical in [#2913](https://github.com/gfx-rs/wgpu/pull/2913)
-- Validate against the maximum binding index in `create_bind_group_layout` by @nical in [#2892]
+- Validate against the maximum binding index in `create_bind_group_layout` by @nical in [#2892](https://github.com/gfx-rs/wgpu/pull/2892)
+- Validate that map_async's range is not negative by @nical in [#2938](https://github.com/gfx-rs/wgpu/pull/2938)
 
 #### DX12
 - `DownlevelCapabilities::default()` now returns the `ANISOTROPIC_FILTERING` flag set to true so DX12 lists `ANISOTROPIC_FILTERING` as true again by @cwfitzgerald in [#2851](https://github.com/gfx-rs/wgpu/pull/2851)