From c11d76c51a29ed4fe02a8c46ba9fd64083f155ed Mon Sep 17 00:00:00 2001 From: Ian Romanick Date: Tue, 21 Jan 2014 16:52:42 -0800 Subject: mesa: Increment the list pointer while freeing instruction data Since the list pointer was never incremented when a OPCODE_PIXEL_MAP opcode was encountered, the data for the instruction would get freed over and over and over... resulting in a crash. Fixes gl-1.0-beginend-coverage. Signed-off-by: Ian Romanick Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=72214 Reviewed-by: Brian Paul Cc: Lu Ha --- src/mesa/main/dlist.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src/mesa/main') diff --git a/src/mesa/main/dlist.c b/src/mesa/main/dlist.c index cb40ff4db88..08943c9f9b0 100644 --- a/src/mesa/main/dlist.c +++ b/src/mesa/main/dlist.c @@ -767,6 +767,7 @@ _mesa_delete_list(struct gl_context *ctx, struct gl_display_list *dlist) break; case OPCODE_PIXEL_MAP: free(get_pointer(&n[3])); + n += InstSize[n[0].opcode]; break; case OPCODE_CONTINUE: -- cgit v1.2.3