From 058e96916b1ee661dfc16052b79b3aa9fcb47690 Mon Sep 17 00:00:00 2001
From: Eric Anholt <eric@anholt.net>
Date: Wed, 25 Feb 2009 11:57:44 -0800
Subject: Cap array elements at 0 when passed an invalid pointer for an array
 object.

Otherwise, a pointer greater than the size would underflow and give a large
maximum element.

Reviewed-by: Brian Paul <brianp@vmware.com> (previous version)
---
 src/mesa/main/state.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'src/mesa/main/state.c')

diff --git a/src/mesa/main/state.c b/src/mesa/main/state.c
index 7b41b8f4da..3b2c6ec618 100644
--- a/src/mesa/main/state.c
+++ b/src/mesa/main/state.c
@@ -75,6 +75,16 @@ compute_max_element(struct gl_client_array *array)
 {
    assert(array->Enabled);
    if (array->BufferObj->Name) {
+      GLsizeiptrARB offset = (GLsizeiptrARB) array->Ptr;
+      GLsizeiptrARB obj_size = (GLsizeiptrARB) array->BufferObj->Size;
+
+      if (offset < obj_size) {
+	 array->_MaxElement = (obj_size - offset +
+			       array->StrideB -
+			       array->_ElementSize) / array->StrideB;
+      } else {
+	 array->_MaxElement = 0;
+      }
       /* Compute the max element we can access in the VBO without going
        * out of bounds.
        */
-- 
cgit v1.2.3