[Mesa-dev] [PATCH 5/5] draw/so: Fix overflow calculations

[Zack Rusin]

We weren't taking the buffer offset, destination offset or the
stride into consideration so we were frequently writing into
an overflown buffer.

Signed-off-by: Zack Rusin <zackr at vmware.com>
---
 src/gallium/auxiliary/draw/draw_pt_so_emit.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/gallium/auxiliary/draw/draw_pt_so_emit.c b/src/gallium/auxiliary/draw/draw_pt_so_emit.c
index 563bf65..e834357 100644
--- a/src/gallium/auxiliary/draw/draw_pt_so_emit.c
+++ b/src/gallium/auxiliary/draw/draw_pt_so_emit.c
@@ -129,20 +129,25 @@ static void so_emit_prim(struct pt_so_emit *so,
 
    for (i = 0; i < draw->so.num_targets; i++) {
       struct draw_so_target *target = draw->so.targets[i];
-      buffer_total_bytes[i] = target->internal_offset;
+      buffer_total_bytes[i] = target->internal_offset + target->target.buffer_offset;
    }
 
    /* check have we space to emit prim first - if not don't do anything */
    for (i = 0; i < num_vertices; ++i) {
+      unsigned ob;
       for (slot = 0; slot < state->num_outputs; ++slot) {
          unsigned num_comps = state->output[slot].num_components;
          int ob = state->output[slot].output_buffer;
+         unsigned dst_offset = state->output[slot].dst_offset * sizeof(float);
+         unsigned write_size = num_comps * sizeof(float);
 
-         if ((buffer_total_bytes[ob] + num_comps * sizeof(float)) >
+         if ((buffer_total_bytes[ob] + write_size + dst_offset) >
              draw->so.targets[ob]->target.buffer_size) {
             return;
          }
-         buffer_total_bytes[ob] += num_comps * sizeof(float);
+      }
+      for (ob = 0; ob < draw->so.num_targets; ++ob) {
+         buffer_total_bytes[ob] += state->stride[ob] * sizeof(float);
       }
    }
 
-- 
1.7.10.4