aligned_offset as u32 truncation in indirect dispatch validation
Files: src/indirect_validation/dispatch.rs:345, src/command/compute.rs:949
aligned_offset is computed as a u64 from the application-controlled buffer offset, then cast to u32 when passed as a dynamic offset to set_bind_group. If the indirect buffer is larger than 4 GiB (requires raised max_buffer_size), the truncation causes the validation shader to read from the wrong buffer location, potentially allowing an out-of-bounds dispatch to bypass validation.
src_dynamic_offset as u32 truncation in indirect draw validation
File: src/indirect_validation/draw.rs:440
Same pattern as finding 1 but for indirect draw validation. src_dynamic_offset is a u64 truncated to u32 when passed as a dynamic offset. With buffers larger than 4 GiB, the validation shader reads from a wrong offset.
aligned_offset as u32truncation in indirect dispatch validationFiles:
src/indirect_validation/dispatch.rs:345,src/command/compute.rs:949aligned_offsetis computed as au64from the application-controlled buffer offset, then cast tou32when passed as a dynamic offset toset_bind_group. If the indirect buffer is larger than 4 GiB (requires raisedmax_buffer_size), the truncation causes the validation shader to read from the wrong buffer location, potentially allowing an out-of-bounds dispatch to bypass validation.src_dynamic_offset as u32truncation in indirect draw validationFile:
src/indirect_validation/draw.rs:440Same pattern as finding 1 but for indirect draw validation.
src_dynamic_offsetis au64truncated tou32when passed as a dynamic offset. With buffers larger than 4 GiB, the validation shader reads from a wrong offset.