An out-of-bound write was found in virglrenderer in src/vrend_renderer.c:read_transfer_data().
Upstream commit: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec MR: https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654/commits
Created virglrenderer tracking bugs for this issue: Affects: epel-8 [bug 2048607] Affects: fedora-all [bug 2048606]
The flaw arises from the fact that both vrend_renderer_transfer_write_iov() and read_transfer_data() calculate `send_size` to allocate a buffer and transfer data to it, respectively. However, they calculate the size in a slightly different way: vrend_renderer_transfer_write_iov() does not take `box->depth` into account. Under certain circumstances, this could lead to the allocation of a smaller heap buffer which is later accessed out-of-bounds by read_transfer_data.