Mesa (7.10): vbo: check array indexes to prevent negative indexing

[Brian Paul]

Module: Mesa
Branch: 7.10
Commit: 788dda53cf3fd636a7ec579ce6ef2062004627ea
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=788dda53cf3fd636a7ec579ce6ef2062004627ea

Author: Brian Paul <brianp at vmware.com>
Date:   Fri Jun 10 13:07:30 2011 -0600

vbo: check array indexes to prevent negative indexing

See the piglit dlist-fdo31590.c test

NOTE: This is a candidate for the 7.10 branch.
(cherry picked from commit f1cdce95f606584a56eabf3b38eea19ff4c75757)

---

 src/mesa/vbo/vbo_exec_api.c |   12 ++++++++----
 src/mesa/vbo/vbo_save_api.c |   11 +++++------
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/src/mesa/vbo/vbo_exec_api.c b/src/mesa/vbo/vbo_exec_api.c
index fb981cc..8117c48 100644
--- a/src/mesa/vbo/vbo_exec_api.c
+++ b/src/mesa/vbo/vbo_exec_api.c
@@ -568,11 +568,15 @@ static void GLAPIENTRY vbo_exec_End( void )
 
    if (ctx->Driver.CurrentExecPrimitive != PRIM_OUTSIDE_BEGIN_END) {
       struct vbo_exec_context *exec = &vbo_context(ctx)->exec;
-      int idx = exec->vtx.vert_count;
-      int i = exec->vtx.prim_count - 1;
 
-      exec->vtx.prim[i].end = 1; 
-      exec->vtx.prim[i].count = idx - exec->vtx.prim[i].start;
+      if (exec->vtx.prim_count > 0) {
+         /* close off current primitive */
+         int idx = exec->vtx.vert_count;
+         int i = exec->vtx.prim_count - 1;
+
+         exec->vtx.prim[i].end = 1; 
+         exec->vtx.prim[i].count = idx - exec->vtx.prim[i].start;
+      }
 
       ctx->Driver.CurrentExecPrimitive = PRIM_OUTSIDE_BEGIN_END;
 
diff --git a/src/mesa/vbo/vbo_save_api.c b/src/mesa/vbo/vbo_save_api.c
index 817d478..0db93a6 100644
--- a/src/mesa/vbo/vbo_save_api.c
+++ b/src/mesa/vbo/vbo_save_api.c
@@ -678,12 +678,11 @@ static void DO_FALLBACK( struct gl_context *ctx )
    struct vbo_save_context *save = &vbo_context(ctx)->save;
 
    if (save->vert_count || save->prim_count) {
-      GLint i = save->prim_count - 1;
-
-      /* Close off in-progress primitive.
-       */
-      save->prim[i].count = (save->vert_count - 
-                             save->prim[i].start);
+      if (save->prim_count > 0) {
+         /* Close off in-progress primitive. */
+         GLint i = save->prim_count - 1;
+         save->prim[i].count = save->vert_count - save->prim[i].start;
+      }
 
       /* Need to replay this display list with loopback,
        * unfortunately, otherwise this primitive won't be handled