vbo: check array indexes to prevent negative indexing

See the piglit dlist-fdo31590.c test

NOTE: This is a candidate for the 7.10 branch.

2 files changed, 13 insertions, 10 deletions

diff --git a/src/mesa/vbo/vbo_exec_api.c b/src/mesa/vbo/vbo_exec_api.c
index 3c7c439b64c..2b8d38ef283 100644
--- a/src/mesa/vbo/vbo_exec_api.c
+++ b/src/mesa/vbo/vbo_exec_api.c
@@ -608,11 +608,15 @@ static void GLAPIENTRY vbo_exec_End( void )
 
    if (ctx->Driver.CurrentExecPrimitive != PRIM_OUTSIDE_BEGIN_END) {
       struct vbo_exec_context *exec = &vbo_context(ctx)->exec;
-      int idx = exec->vtx.vert_count;
-      int i = exec->vtx.prim_count - 1;
 
-      exec->vtx.prim[i].end = 1; 
-      exec->vtx.prim[i].count = idx - exec->vtx.prim[i].start;
+      if (exec->vtx.prim_count > 0) {
+         /* close off current primitive */
+         int idx = exec->vtx.vert_count;
+         int i = exec->vtx.prim_count - 1;
+
+         exec->vtx.prim[i].end = 1; 
+         exec->vtx.prim[i].count = idx - exec->vtx.prim[i].start;
+      }
 
       ctx->Driver.CurrentExecPrimitive = PRIM_OUTSIDE_BEGIN_END;
 
diff --git a/src/mesa/vbo/vbo_save_api.c b/src/mesa/vbo/vbo_save_api.c
index 836c76fe835..cf821a72de0 100644
--- a/src/mesa/vbo/vbo_save_api.c
+++ b/src/mesa/vbo/vbo_save_api.c
@@ -686,12 +686,11 @@ static void DO_FALLBACK( struct gl_context *ctx )
    struct vbo_save_context *save = &vbo_context(ctx)->save;
 
    if (save->vert_count || save->prim_count) {
-      GLint i = save->prim_count - 1;
-
-      /* Close off in-progress primitive.
-       */
-      save->prim[i].count = (save->vert_count - 
-                             save->prim[i].start);
+      if (save->prim_count > 0) {
+         /* Close off in-progress primitive. */
+         GLint i = save->prim_count - 1;
+         save->prim[i].count = save->vert_count - save->prim[i].start;
+      }
 
       /* Need to replay this display list with loopback,
        * unfortunately, otherwise this primitive won't be handled