virgl: check buffer size to ensure no unsigned wraparound happens

Make sure that the passed buffer size is not negative and that evaluating the buffer size in bytes doesn't overflow. With that we make sure that the buf_offset in the decoding loop can't wrap around when it is updated. v2: - move check to virgl_renderer_submit_cmd (Chia-I) - remove the size conversion on both ends v3: - keep conversion to size in bytes (Chia-I) - explicitely convert to uint32_t to silence a warning Signed-off-by: Gert Wollny <gert.wollny@collabora.com> Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
5 years ago · 122ae312db
parent 722f47e5af
commit 122ae312db
2 changed files with 6 additions and 2 deletions
--- a/src/virglrenderer.c
+++ b/src/virglrenderer.c
@ -247,7 +247,11 @@ int virgl_renderer_submit_cmd(void *buffer,
   struct virgl_context *ctx = virgl_context_lookup(ctx_id);
   if (!ctx)
      return EINVAL;
-   return ctx->submit_cmd(ctx, buffer, sizeof(uint32_t) * ndw);
+
+   if (ndw < 0 || (unsigned)ndw > UINT32_MAX / sizeof(uint32_t))
+      return EINVAL;
+
+   return ctx->submit_cmd(ctx, buffer, ndw * sizeof(uint32_t));
 }

 int virgl_renderer_transfer_write_iov(uint32_t handle,
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@ -1660,7 +1660,7 @@ static int vrend_decode_ctx_submit_cmd(struct virgl_context *ctx,
      return EINVAL;

   const uint32_t *typed_buf = (const uint32_t *)buffer;
-   const uint32_t buf_total = size / sizeof(uint32_t);
+   const uint32_t buf_total = (uint32_t)(size / sizeof(uint32_t));
   uint32_t buf_offset = 0;

   while (buf_offset < buf_total) {