fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2026-05-05 20:28:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

frontends/va: fix potential overflows

Browse source 
The multiplication of 32 bits integers will be truncated before
being widened to the destination variable' size.
Reported by static analysis.

Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/35877>
This commit is contained in:
Pierre-Eric Pelloux-Prayer 2025-06-27 10:54:50 +02:00 committed by Marge Bot
parent f7890c0df9
commit c6086f3a54
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/gallium/frontends/va/buffer.c
View file

@ -68,7 +68,7 @@ vlVaCreateBuffer(VADriverContextP ctx, VAContextID context, VABufferType type,
if (buf->type == VAEncCodedBufferType)
buf->data = CALLOC(1, sizeof(VACodedBufferSegment));
else
buf->data = MALLOC(size * num_elements);
buf->data = MALLOC((size_t)size * num_elements);
if (!buf->data) {
FREE(buf);
@ -76,7 +76,7 @@ vlVaCreateBuffer(VADriverContextP ctx, VAContextID context, VABufferType type,
}
if (data)
memcpy(buf->data, data, size * num_elements);
memcpy(buf->data, data, (size_t)size * num_elements);
drv = VL_VA_DRIVER(ctx);
mtx_lock(&drv->mutex);
@ -482,7 +482,7 @@ vlVaAcquireBufferHandle(VADriverContextP ctx, VABufferID buf_id,
buf_info->type = buf->type;
buf_info->mem_type = mem_type;
buf_info->mem_size = buf->num_elements * buf->size;
buf_info->mem_size = buf->num_elements * (size_t)buf->size;
}
buf->export_refcount++;