diff --git a/src/virglrenderer.c b/src/virglrenderer.c
index 0730a1d..bc11105 100644
--- a/src/virglrenderer.c
+++ b/src/virglrenderer.c
@@ -247,7 +247,11 @@ int virgl_renderer_submit_cmd(void *buffer,
    struct virgl_context *ctx = virgl_context_lookup(ctx_id);
    if (!ctx)
       return EINVAL;
-   return ctx->submit_cmd(ctx, buffer, sizeof(uint32_t) * ndw);
+
+   if (ndw < 0 || (unsigned)ndw > UINT32_MAX / sizeof(uint32_t))
+      return EINVAL;
+
+   return ctx->submit_cmd(ctx, buffer, ndw * sizeof(uint32_t));
 }
 
 int virgl_renderer_transfer_write_iov(uint32_t handle,
diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index 919dcde..91f5f24 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -1660,7 +1660,7 @@ static int vrend_decode_ctx_submit_cmd(struct virgl_context *ctx,
       return EINVAL;
 
    const uint32_t *typed_buf = (const uint32_t *)buffer;
-   const uint32_t buf_total = size / sizeof(uint32_t);
+   const uint32_t buf_total = (uint32_t)(size / sizeof(uint32_t));
    uint32_t buf_offset = 0;
 
    while (buf_offset < buf_total) {