From 1c3f7ab74ce492d6c92f2e3a0f29957fa9a71d96 Mon Sep 17 00:00:00 2001 From: Brian Paul Date: Wed, 4 Nov 2009 17:51:21 -0700 Subject: vbo: fix out-of-bounds array access The exec->vtx.inputs[] array was being written past its end. This was clobbering the following vbo_exec_context::eval state. Probably not noticed since evaluators and immediate mode rendering don't happen at the same time. Fixed the loop in vbo_exec_vtx_init(). Changed the size of the vbo_exec_context::vtx.arrays[] array. Added a bunch of debug-build assertions. Issue found by Vinson Lee. --- src/mesa/vbo/vbo_exec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/mesa/vbo/vbo_exec.h') diff --git a/src/mesa/vbo/vbo_exec.h b/src/mesa/vbo/vbo_exec.h index e0f44892cff..7fb59261600 100644 --- a/src/mesa/vbo/vbo_exec.h +++ b/src/mesa/vbo/vbo_exec.h @@ -103,7 +103,7 @@ struct vbo_exec_context GLubyte active_sz[VBO_ATTRIB_MAX]; GLfloat *attrptr[VBO_ATTRIB_MAX]; - struct gl_client_array arrays[VBO_ATTRIB_MAX]; + struct gl_client_array arrays[VERT_ATTRIB_MAX]; /* According to program mode, the values above plus current * values are squashed down to the 32 attributes passed to the -- cgit v1.2.3