From 965f41b550c0617aec3aea44bc5467491356e3ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Corentin=20No=C3=ABl?= Date: Mon, 5 May 2025 15:51:41 +0200 Subject: [PATCH] virgl: Ensure to not overflow when encoding string marker MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The maximal length is 65535 as an offset of 16 bits is being used to encode it. Afterwards in VIRGL_CMD0, the buf_len equals 65536, so buf_len << 16 overflows its type which is uint32_t. CID: 1604743 Overflowed constant Signed-off-by: Corentin Noël Part-of: --- src/gallium/drivers/virgl/virgl_encode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/gallium/drivers/virgl/virgl_encode.c b/src/gallium/drivers/virgl/virgl_encode.c index ad0174ec9e1..09b4a5e26dc 100644 --- a/src/gallium/drivers/virgl/virgl_encode.c +++ b/src/gallium/drivers/virgl/virgl_encode.c @@ -1736,9 +1736,9 @@ void virgl_encode_emit_string_marker(struct virgl_context *ctx, if (len <= 0) return; - if (len > 4 * 0xffff) { + if (len > 4 * 0xffff - 4) { debug_printf("VIRGL: host debug flag string too long, will be truncated\n"); - len = 4 * 0xffff; + len = 4 * 0xffff - 4; } uint32_t buf_len = (uint32_t )(len + 3) / 4 + 1;