Avoid integer overflow on multiplication in write_texture.

[nical]

Checklist

• Run cargo clippy.
• Add change to CHANGELOG.md. See simple instructions inside file.

Connections

Found by

https://bugzilla.mozilla.org/show_bug.cgi?id=1791809

Description

With large depth values in copy_size, validate_linear_texture_data can run into integer overflows.
This is avoided by validating the copy depth before calling validate_linear_texture_data in queue_write_texture.
The other two validate_linear_texture_data call sites already have the copy size validated beforehand.

Testing

I can add a test when I come back from vacation a week from now.

[codecov-commenter]

Codecov Report

Merging #3146 (26a5505) into master (c453397) will decrease coverage by 0.00%.
The diff coverage is 76.92%.

@@            Coverage Diff             @@
##           master    #3146      +/-   ##
==========================================
- Coverage   65.41%   65.41%   -0.01%     
==========================================
  Files          81       81              
  Lines       38763    38766       +3     
==========================================
+ Hits        25358    25359       +1     
- Misses      13405    13407       +2     

Impacted Files	Coverage Δ
wgpu-core/src/device/queue.rs	70.69% <66.66%> (-0.12%)	⬇️
wgpu-core/src/command/transfer.rs	70.87% <100.00%> (+0.10%)	⬆️
wgpu-core/src/track/range.rs	92.85% <0.00%> (-2.15%)	⬇️
wgpu-hal/src/gles/egl.rs	37.95% <0.00%> (+0.12%)	⬆️
wgpu-core/src/hub.rs	60.98% <0.00%> (+0.15%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[nical]

I started writing the test and that was a good thing as it showed that fixing the cause of the panic lets us panic in backend_direct.rs instead which treats validation errors as fatal in queue_write_texture so that has to be fixed as well, I'll do it in a week or so.

[cwfitzgerald]

I also think we may have the same problem in copy_texture_*? Or do those use the right order?

[nical]

copy_texture_to_buffer already validates the size by calling validate_texture_copy_range before validate_linear_texture_data. The other place is copy_texture_to_texture however it doesn't call validate_linear_texture_data. I don't see risky arithmetic before the validate_copy_range calls but these are easy to miss. The fuzzers will find issues if any.

[nical]

I added a commit that adds a ref to the error sink in the queue id, the same way it is done for device and similar handles, in order for relevant queue methods to be able handle errors gracefully and get the new test to pass.

[cwfitzgerald]

Great stuff, as always!