There actually is a possibility that even one message would overflow the buffer. Unlike the other debug library stack I wrote (which I might work on upstreaming during GSoC), where buffers are specified in kilobyte multiples, the user specifies CBMEM console size as a number of bytes. Some of this code, such as the comment "So, no chance that one message could overflow even the smallest buffer", is based on my work there. If the user sets the size to less than 512 (the size of the largest message that DebugLib instances might route here), the buffer will overflow. Is another sanity check needed, or is this possibility so much of an edge-case that it's unnecessary?

I know that UefiPayloadPkg gained SMM support recently, but we're actually safe from confused-deputy attacks because SMM uses the null instance of ReportStatusCodeLib, so no messages are routed here. (Aside: While SMM debug is desirable and could possibly be implemented safely, I don't consider it production-ready.)