virgl: Ensure to not overflow when encoding string marker
The maximal length is 65535 as an offset of 16 bits is being used to encode it. Afterwards in VIRGL_CMD0, the buf_len equals 65536, so buf_len << 16 overflows its type which is uint32_t. CID: 1604743 Overflowed constant Signed-off-by: Corentin Noël <corentin.noel@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/34816>
This commit is contained in:
@@ -1736,9 +1736,9 @@ void virgl_encode_emit_string_marker(struct virgl_context *ctx,
|
||||
if (len <= 0)
|
||||
return;
|
||||
|
||||
if (len > 4 * 0xffff) {
|
||||
if (len > 4 * 0xffff - 4) {
|
||||
debug_printf("VIRGL: host debug flag string too long, will be truncated\n");
|
||||
len = 4 * 0xffff;
|
||||
len = 4 * 0xffff - 4;
|
||||
}
|
||||
|
||||
uint32_t buf_len = (uint32_t )(len + 3) / 4 + 1;
|
||||
|
||||
Reference in New Issue
Block a user