Mesa (master): Cap array elements at 0 when passed an invalid pointer for an array object .
Eric Anholt
anholt at kemper.freedesktop.org
Tue Jul 7 22:44:32 UTC 2009
Module: Mesa
Branch: master
Commit: 058e96916b1ee661dfc16052b79b3aa9fcb47690
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=058e96916b1ee661dfc16052b79b3aa9fcb47690
Author: Eric Anholt <eric at anholt.net>
Date: Wed Feb 25 11:57:44 2009 -0800
Cap array elements at 0 when passed an invalid pointer for an array object.
Otherwise, a pointer greater than the size would underflow and give a large
maximum element.
Reviewed-by: Brian Paul <brianp at vmware.com> (previous version)
---
src/mesa/main/state.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/src/mesa/main/state.c b/src/mesa/main/state.c
index 7b41b8f..3b2c6ec 100644
--- a/src/mesa/main/state.c
+++ b/src/mesa/main/state.c
@@ -75,6 +75,16 @@ compute_max_element(struct gl_client_array *array)
{
assert(array->Enabled);
if (array->BufferObj->Name) {
+ GLsizeiptrARB offset = (GLsizeiptrARB) array->Ptr;
+ GLsizeiptrARB obj_size = (GLsizeiptrARB) array->BufferObj->Size;
+
+ if (offset < obj_size) {
+ array->_MaxElement = (obj_size - offset +
+ array->StrideB -
+ array->_ElementSize) / array->StrideB;
+ } else {
+ array->_MaxElement = 0;
+ }
/* Compute the max element we can access in the VBO without going
* out of bounds.
*/
More information about the mesa-commit
mailing list