diff options
| author | Brian Paul <brianp@vmware.com> | 2011-06-10 13:07:30 -0600 |
|---|---|---|
| committer | Brian Paul <brianp@vmware.com> | 2011-06-10 13:09:41 -0600 |
| commit | 788dda53cf3fd636a7ec579ce6ef2062004627ea (patch) | |
| tree | 2825c31e7cbf9352b5af07411564d1f8408a36da | |
| parent | cc5d54e797eff0d1da72ae197d3250310e21a9d6 (diff) | |
vbo: check array indexes to prevent negative indexing
See the piglit dlist-fdo31590.c test
NOTE: This is a candidate for the 7.10 branch.
(cherry picked from commit f1cdce95f606584a56eabf3b38eea19ff4c75757)
| -rw-r--r-- | src/mesa/vbo/vbo_exec_api.c | 12 | ||||
| -rw-r--r-- | src/mesa/vbo/vbo_save_api.c | 11 |
2 files changed, 13 insertions, 10 deletions
diff --git a/src/mesa/vbo/vbo_exec_api.c b/src/mesa/vbo/vbo_exec_api.c index fb981ccc3bc..8117c48632e 100644 --- a/src/mesa/vbo/vbo_exec_api.c +++ b/src/mesa/vbo/vbo_exec_api.c @@ -568,11 +568,15 @@ static void GLAPIENTRY vbo_exec_End( void ) if (ctx->Driver.CurrentExecPrimitive != PRIM_OUTSIDE_BEGIN_END) { struct vbo_exec_context *exec = &vbo_context(ctx)->exec; - int idx = exec->vtx.vert_count; - int i = exec->vtx.prim_count - 1; - exec->vtx.prim[i].end = 1; - exec->vtx.prim[i].count = idx - exec->vtx.prim[i].start; + if (exec->vtx.prim_count > 0) { + /* close off current primitive */ + int idx = exec->vtx.vert_count; + int i = exec->vtx.prim_count - 1; + + exec->vtx.prim[i].end = 1; + exec->vtx.prim[i].count = idx - exec->vtx.prim[i].start; + } ctx->Driver.CurrentExecPrimitive = PRIM_OUTSIDE_BEGIN_END; diff --git a/src/mesa/vbo/vbo_save_api.c b/src/mesa/vbo/vbo_save_api.c index 817d478e2ac..0db93a6192d 100644 --- a/src/mesa/vbo/vbo_save_api.c +++ b/src/mesa/vbo/vbo_save_api.c @@ -678,12 +678,11 @@ static void DO_FALLBACK( struct gl_context *ctx ) struct vbo_save_context *save = &vbo_context(ctx)->save; if (save->vert_count || save->prim_count) { - GLint i = save->prim_count - 1; - - /* Close off in-progress primitive. - */ - save->prim[i].count = (save->vert_count - - save->prim[i].start); + if (save->prim_count > 0) { + /* Close off in-progress primitive. */ + GLint i = save->prim_count - 1; + save->prim[i].count = save->vert_count - save->prim[i].start; + } /* Need to replay this display list with loopback, * unfortunately, otherwise this primitive won't be handled |