An out-of-bound write was found in virglrenderer in src/vrend_renderer.c:read_transfer_data().
Created virglrenderer tracking bugs for this issue:
Affects: epel-8 [bug 2048607]
Affects: fedora-all [bug 2048606]
The flaw arises from the fact that both vrend_renderer_transfer_write_iov() and read_transfer_data() calculate `send_size` to allocate a buffer and transfer data to it, respectively. However, they calculate the size in a slightly different way: vrend_renderer_transfer_write_iov() does not take `box->depth` into account. Under certain circumstances, this could lead to the allocation of a smaller heap buffer which is later accessed out-of-bounds by read_transfer_data.