From d8eaf52b331ef664031128f5f2a518b6248c1e8c Mon Sep 17 00:00:00 2001 From: Brian Paul Date: Tue, 7 Jun 2011 14:19:08 -0600 Subject: [PATCH 1/2] vbo: check array indexes to prevent negative indexing See the piglit dlist-fdo31590.c test NOTE: This is a candidate for the 7.10 branch. --- src/mesa/vbo/vbo_exec_api.c | 12 ++++++++---- src/mesa/vbo/vbo_save_api.c | 11 +++++------ 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/src/mesa/vbo/vbo_exec_api.c b/src/mesa/vbo/vbo_exec_api.c index 3c7c439..2b8d38e 100644 --- a/src/mesa/vbo/vbo_exec_api.c +++ b/src/mesa/vbo/vbo_exec_api.c @@ -608,11 +608,15 @@ static void GLAPIENTRY vbo_exec_End( void ) if (ctx->Driver.CurrentExecPrimitive != PRIM_OUTSIDE_BEGIN_END) { struct vbo_exec_context *exec = &vbo_context(ctx)->exec; - int idx = exec->vtx.vert_count; - int i = exec->vtx.prim_count - 1; - exec->vtx.prim[i].end = 1; - exec->vtx.prim[i].count = idx - exec->vtx.prim[i].start; + if (exec->vtx.prim_count > 0) { + /* close off current primitive */ + int idx = exec->vtx.vert_count; + int i = exec->vtx.prim_count - 1; + + exec->vtx.prim[i].end = 1; + exec->vtx.prim[i].count = idx - exec->vtx.prim[i].start; + } ctx->Driver.CurrentExecPrimitive = PRIM_OUTSIDE_BEGIN_END; diff --git a/src/mesa/vbo/vbo_save_api.c b/src/mesa/vbo/vbo_save_api.c index 836c76f..cf821a7 100644 --- a/src/mesa/vbo/vbo_save_api.c +++ b/src/mesa/vbo/vbo_save_api.c @@ -686,12 +686,11 @@ static void DO_FALLBACK( struct gl_context *ctx ) struct vbo_save_context *save = &vbo_context(ctx)->save; if (save->vert_count || save->prim_count) { - GLint i = save->prim_count - 1; - - /* Close off in-progress primitive. - */ - save->prim[i].count = (save->vert_count - - save->prim[i].start); + if (save->prim_count > 0) { + /* Close off in-progress primitive. */ + GLint i = save->prim_count - 1; + save->prim[i].count = save->vert_count - save->prim[i].start; + } /* Need to replay this display list with loopback, * unfortunately, otherwise this primitive won't be handled -- 1.7.3.4