tnl: Don't dereference NULL obj pointer in replay_init

Structurally the code is now similar to the handling of other
gl_buffer_object::obj pointers elsewhere in TNL.  The fixes tag is a
little bit misleading.  I think the change in that commit just exposes a
previously existing bug.

Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/2746
Fixes: f3cce7087a5 ("mesa: don't ever bind NullBufferObj for glBindBuffer targets")
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/4512>

1 files changed, 10 insertions, 8 deletions

diff --git a/src/mesa/tnl/t_split_copy.c b/src/mesa/tnl/t_split_copy.c
index 801cb71790b..10f90b57d4d 100644
--- a/src/mesa/tnl/t_split_copy.c
+++ b/src/mesa/tnl/t_split_copy.c
@@ -476,14 +476,16 @@ replay_init(struct copy_context *copy)
     * caller convert non-indexed prims to indexed.  Could alternately
     * do it internally.
     */
-   if (copy->ib->obj &&
-       !_mesa_bufferobj_mapped(copy->ib->obj, MAP_INTERNAL))
-      ctx->Driver.MapBufferRange(ctx, 0, copy->ib->obj->Size, GL_MAP_READ_BIT,
-                                 copy->ib->obj, MAP_INTERNAL);
-
-   srcptr = (const GLubyte *)
-            ADD_POINTERS(copy->ib->obj->Mappings[MAP_INTERNAL].Pointer,
-                         copy->ib->ptr);
+   if (copy->ib->obj) {
+      if (!_mesa_bufferobj_mapped(copy->ib->obj, MAP_INTERNAL))
+         ctx->Driver.MapBufferRange(ctx, 0, copy->ib->obj->Size, GL_MAP_READ_BIT,
+                                    copy->ib->obj, MAP_INTERNAL);
+
+      srcptr = (const GLubyte *)
+         ADD_POINTERS(copy->ib->obj->Mappings[MAP_INTERNAL].Pointer,
+                      copy->ib->ptr);
+   } else
+      srcptr = copy->ib->ptr;
 
    switch (copy->ib->index_size_shift) {
    case 0: