virgl: check buffer size to ensure no unsigned wraparound happens

Make sure that the passed buffer size is not negative and that
evaluating the buffer size in bytes doesn't overflow. With that
we make sure that the buf_offset in the decoding loop can't wrap
around when it is updated.

v2: - move check to virgl_renderer_submit_cmd (Chia-I)
    - remove the size conversion on both ends
v3: - keep conversion to size in bytes (Chia-I)
    - explicitely convert to uint32_t to silence a warning

Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
macos/master
Gert Wollny 4 years ago committed by Gert Wollny
parent 722f47e5af
commit 122ae312db
  1. 6
      src/virglrenderer.c
  2. 2
      src/vrend_decode.c

@ -247,7 +247,11 @@ int virgl_renderer_submit_cmd(void *buffer,
struct virgl_context *ctx = virgl_context_lookup(ctx_id); struct virgl_context *ctx = virgl_context_lookup(ctx_id);
if (!ctx) if (!ctx)
return EINVAL; return EINVAL;
return ctx->submit_cmd(ctx, buffer, sizeof(uint32_t) * ndw);
if (ndw < 0 || (unsigned)ndw > UINT32_MAX / sizeof(uint32_t))
return EINVAL;
return ctx->submit_cmd(ctx, buffer, ndw * sizeof(uint32_t));
} }
int virgl_renderer_transfer_write_iov(uint32_t handle, int virgl_renderer_transfer_write_iov(uint32_t handle,

@ -1660,7 +1660,7 @@ static int vrend_decode_ctx_submit_cmd(struct virgl_context *ctx,
return EINVAL; return EINVAL;
const uint32_t *typed_buf = (const uint32_t *)buffer; const uint32_t *typed_buf = (const uint32_t *)buffer;
const uint32_t buf_total = size / sizeof(uint32_t); const uint32_t buf_total = (uint32_t)(size / sizeof(uint32_t));
uint32_t buf_offset = 0; uint32_t buf_offset = 0;
while (buf_offset < buf_total) { while (buf_offset < buf_total) {

Loading…
Cancel
Save