From 122ae312db602cda434782267fb3345572556b6d Mon Sep 17 00:00:00 2001 From: Gert Wollny Date: Tue, 9 Mar 2021 21:47:22 +0100 Subject: [PATCH] virgl: check buffer size to ensure no unsigned wraparound happens Make sure that the passed buffer size is not negative and that evaluating the buffer size in bytes doesn't overflow. With that we make sure that the buf_offset in the decoding loop can't wrap around when it is updated. v2: - move check to virgl_renderer_submit_cmd (Chia-I) - remove the size conversion on both ends v3: - keep conversion to size in bytes (Chia-I) - explicitely convert to uint32_t to silence a warning Signed-off-by: Gert Wollny Reviewed-by: Chia-I Wu --- src/virglrenderer.c | 6 +++++- src/vrend_decode.c | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/virglrenderer.c b/src/virglrenderer.c index 0730a1d..bc11105 100644 --- a/src/virglrenderer.c +++ b/src/virglrenderer.c @@ -247,7 +247,11 @@ int virgl_renderer_submit_cmd(void *buffer, struct virgl_context *ctx = virgl_context_lookup(ctx_id); if (!ctx) return EINVAL; - return ctx->submit_cmd(ctx, buffer, sizeof(uint32_t) * ndw); + + if (ndw < 0 || (unsigned)ndw > UINT32_MAX / sizeof(uint32_t)) + return EINVAL; + + return ctx->submit_cmd(ctx, buffer, ndw * sizeof(uint32_t)); } int virgl_renderer_transfer_write_iov(uint32_t handle, diff --git a/src/vrend_decode.c b/src/vrend_decode.c index 919dcde..91f5f24 100644 --- a/src/vrend_decode.c +++ b/src/vrend_decode.c @@ -1660,7 +1660,7 @@ static int vrend_decode_ctx_submit_cmd(struct virgl_context *ctx, return EINVAL; const uint32_t *typed_buf = (const uint32_t *)buffer; - const uint32_t buf_total = size / sizeof(uint32_t); + const uint32_t buf_total = (uint32_t)(size / sizeof(uint32_t)); uint32_t buf_offset = 0; while (buf_offset < buf_total) {