From 3aa3b09e6d3534d12d4049d68529350d9fa8af2b Mon Sep 17 00:00:00 2001
From: Jason Macnak <natsu@google.com>
Date: Mon, 1 Jun 2026 13:44:36 -0700
Subject: [PATCH] Validate staging buffer large enough for readback

Bug: b/514123382
Test: cvd create --gpu_mode=gfxstream_guest_angle
Change-Id: I4b9524344c124a27620a695274efcdf2e74f66aa
---
 host/vulkan/vk_common_operations.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/host/vulkan/vk_common_operations.cpp b/host/vulkan/vk_common_operations.cpp
index 0449c9983..435fa9517 100644
--- a/host/vulkan/vk_common_operations.cpp
+++ b/host/vulkan/vk_common_operations.cpp
@@ -3275,6 +3275,14 @@ bool VkEmulation::readColorBufferToBytesLocked(uint32_t colorBufferHandle, uint3
     VkDeviceSize bufferCopySize = transferInfo.stagingBufferCopySize;
     const std::vector<VkBufferImageCopy>& bufferImageCopies = transferInfo.bufferImageCopies;
 
+    const VkDeviceSize stagingBufferSize = mStaging.mAllocationSize;
+    if (bufferCopySize > stagingBufferSize) {
+        GFXSTREAM_ERROR("Failed to read ColorBuffer:%d, transfer size %" PRIu64
+                        " too large for staging buffer size:%" PRIu64 ".",
+                        colorBufferHandle, bufferCopySize, stagingBufferSize);
+        return false;
+    }
+
     // Avoid transitioning from VK_IMAGE_LAYOUT_UNDEFINED. Unfortunetly, Android does not
     // yet have a mechanism for sharing the expected VkImageLayout. However, the Vulkan
     // spec's image layout transition sections says "If the old layout is