From 83f1183e769777df5ada4bf7add3390881f88d02 Mon Sep 17 00:00:00 2001
From: Markus Fleschutz <markus.fleschutz@x-software.com>
Date: Fri, 26 Feb 2010 10:34:19 -0700
Subject: glx: fix incorrect array stack memory allocation

The array stack space wasn't allocated to the proper size.  Fixes out of
bounds memory writes when the client/array stack depth exceeds one.

See fd.o bug 26768.
---
 src/glx/indirect_vertex_array.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/glx/indirect_vertex_array.c')

diff --git a/src/glx/indirect_vertex_array.c b/src/glx/indirect_vertex_array.c
index ad9882528f..ec0e654cea 100644
--- a/src/glx/indirect_vertex_array.c
+++ b/src/glx/indirect_vertex_array.c
@@ -291,7 +291,8 @@ __glXInitVertexArrayState(__GLXcontext * gc)
 
    arrays->stack_index = 0;
    arrays->stack = malloc(sizeof(struct array_stack_state)
-                          * arrays->num_arrays);
+                          * arrays->num_arrays
+                          * __GL_CLIENT_ATTRIB_STACK_DEPTH);
 }
 
 
-- 
cgit v1.2.3