diff options
| author | Eric Anholt <eric@anholt.net> | 2009-02-25 11:57:44 -0800 |
|---|---|---|
| committer | Eric Anholt <eric@anholt.net> | 2009-07-07 15:16:28 -0700 |
| commit | 058e96916b1ee661dfc16052b79b3aa9fcb47690 (patch) | |
| tree | 533a7c9711e2aef13baee43357c67e231ebded47 | |
| parent | 28471cfa970702128d822c2ecbb1703eedbca245 (diff) | |
Cap array elements at 0 when passed an invalid pointer for an array object.
Otherwise, a pointer greater than the size would underflow and give a large
maximum element.
Reviewed-by: Brian Paul <brianp@vmware.com> (previous version)
| -rw-r--r-- | src/mesa/main/state.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/mesa/main/state.c b/src/mesa/main/state.c index 7b41b8f4da..3b2c6ec618 100644 --- a/src/mesa/main/state.c +++ b/src/mesa/main/state.c @@ -75,6 +75,16 @@ compute_max_element(struct gl_client_array *array) { assert(array->Enabled); if (array->BufferObj->Name) { + GLsizeiptrARB offset = (GLsizeiptrARB) array->Ptr; + GLsizeiptrARB obj_size = (GLsizeiptrARB) array->BufferObj->Size; + + if (offset < obj_size) { + array->_MaxElement = (obj_size - offset + + array->StrideB - + array->_ElementSize) / array->StrideB; + } else { + array->_MaxElement = 0; + } /* Compute the max element we can access in the VBO without going * out of bounds. */ |