feat(driver): prevent pinned host allocation size overflow

Compute pinned allocation bytes without wrapping before calling CUDA while preserving the existing panic-based slice-size invariant. Add a regression test for overflowing typed lengths.

Author: jordan-wu-97

src/driver/safe/core.rs

@@ -1433,10 +1433,13 @@ impl CudaContext {
         flags: u32,
     ) -> Result<PinnedHostSlice<T>, DriverError> {
         self.bind_to_thread()?;
-        let ptr = result::malloc_host(len * std::mem::size_of::<T>(), flags)?;
+        let num_bytes = len
+            .checked_mul(std::mem::size_of::<T>())
+            .expect("Pinned host allocation size overflow");
+        assert!(num_bytes < isize::MAX as usize);
+        let ptr = result::malloc_host(num_bytes, flags)?;
         let ptr = ptr as *mut T;
         assert!(!ptr.is_null());
-        assert!(len * std::mem::size_of::<T>() < isize::MAX as usize);
         assert!(ptr.is_aligned());
         let event = self.new_event(Some(sys::CUevent_flags::CU_EVENT_BLOCKING_SYNC))?;
         Ok(PinnedHostSlice { ptr, len, event })
@@ -2717,6 +2720,13 @@ mod tests {
         assert_eq!(&host, &truth);
     }
 
+    #[test]
+    #[should_panic(expected = "Pinned host allocation size overflow")]
+    fn test_alloc_pinned_panics_on_size_overflow() {
+        let ctx = CudaContext::new(0).unwrap();
+        let _ = unsafe { ctx.alloc_pinned_with_flags::<u32>(usize::MAX, 0) };
+    }
+
     #[test]
     fn test_default_pinned_host_reads_are_faster_than_write_combined() {
         fn timed_host_reads(values: &[u32], n_samples: usize) -> (std::time::Duration, u64) {