virgl: check buffer size to ensure no unsigned wraparound happens

Make sure that the passed buffer size is not negative and that
evaluating the buffer size in bytes doesn't overflow. With that
we make sure that the buf_offset in the decoding loop can't wrap
around when it is updated.

v2: - move check to virgl_renderer_submit_cmd (Chia-I)
    - remove the size conversion on both ends
v3: - keep conversion to size in bytes (Chia-I)
    - explicitely convert to uint32_t to silence a warning

Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>

src/virglrenderer.c

@@ -247,7 +247,11 @@ int virgl_renderer_submit_cmd(void *buffer,
    struct virgl_context *ctx = virgl_context_lookup(ctx_id);
    if (!ctx)
       return EINVAL;
-   return ctx->submit_cmd(ctx, buffer, sizeof(uint32_t) * ndw);
+
+   if (ndw < 0 || (unsigned)ndw > UINT32_MAX / sizeof(uint32_t))
+      return EINVAL;
+
+   return ctx->submit_cmd(ctx, buffer, ndw * sizeof(uint32_t));
 }
 
 int virgl_renderer_transfer_write_iov(uint32_t handle,

src/vrend_decode.c

@@ -1660,7 +1660,7 @@ static int vrend_decode_ctx_submit_cmd(struct virgl_context *ctx,
       return EINVAL;
 
    const uint32_t *typed_buf = (const uint32_t *)buffer;
-   const uint32_t buf_total = size / sizeof(uint32_t);
+   const uint32_t buf_total = (uint32_t)(size / sizeof(uint32_t));
    uint32_t buf_offset = 0;
 
    while (buf_offset < buf_total) {