virgl: Ensure to not overflow when encoding string marker

The maximal length is 65535 as an offset of 16 bits is being used to encode it.

Afterwards in VIRGL_CMD0, the buf_len equals 65536, so buf_len << 16 overflows its type which is uint32_t.

CID: 1604743 Overflowed constant
Signed-off-by: Corentin Noël <corentin.noel@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/34816>
This commit is contained in:
Corentin Noël
2025-05-05 15:51:41 +02:00
committed by Marge Bot
parent 11a7b112cb
commit 965f41b550
+2 -2
View File
@@ -1736,9 +1736,9 @@ void virgl_encode_emit_string_marker(struct virgl_context *ctx,
if (len <= 0)
return;
if (len > 4 * 0xffff) {
if (len > 4 * 0xffff - 4) {
debug_printf("VIRGL: host debug flag string too long, will be truncated\n");
len = 4 * 0xffff;
len = 4 * 0xffff - 4;
}
uint32_t buf_len = (uint32_t )(len + 3) / 4 + 1;