Fix crashes with pixel readback when using the optimized assembly functions.

Pixel count can be negative (this could be fixed elsewhere), so adapt the
functions to work with such inputs correctly (same behaviour as non-optimized
functions).
Bugzilla #2317
Submitted by idr

diff --git a/src/mesa/x86/read_rgba_span_x86.S b/src/mesa/x86/read_rgba_span_x86.S
index 7315826b4db3683df421dad9a39c4ec45799bec0..6b8036e5b8d8302359235fd0cfa0c9c0fb8d169a 100644 (file)
--- a/src/mesa/x86/read_rgba_span_x86.S
+++ b/src/mesa/x86/read_rgba_span_x86.S
@@ -92,7 +92,7 @@ _generic_read_RGBA_span_BGRA8888_REV_MMX:
        movl    12(%esp), %ecx  /* destination pointer */
 
        testl   %edx, %edx
-       je      .L20            /* Bail if there's nothing to do. */
+       jle     .L20            /* Bail if there's nothing to do. */
 
        movl    %ebx, %eax
 
@@ -189,6 +189,9 @@ _generic_read_RGBA_span_BGRA8888_REV_SSE:
        movl    24(%esp), %edx  /* number of pixels to copy */
        movl    20(%esp), %ecx  /* destination pointer */
 
+       testl   %edx, %edx
+       jle     .L35            /* Bail if there's nothing to do. */
+
        movl    %esp, %ebp
        subl    $16, %esp
        andl    $0xfffffff0, %esp
@@ -348,6 +351,9 @@ _generic_read_RGBA_span_BGRA8888_REV_SSE2:
        movl    %ebx, %eax
        movl    %edx, %esi
 
+       testl   %edx, %edx
+       jle     .L46            /* Bail if there's nothing to do. */
+
        /* If the source pointer isn't a multiple of 16 we have to process
         * a few pixels the "slow" way to get the address aligned for
         * the SSE fetch intsructions.
@@ -528,7 +534,8 @@ _generic_read_RGBA_span_RGB565_MMX:
        movq    prescale, %mm6
        movq    scale, %mm7
 
-       shrl    $2, %ecx
+       sarl    $2, %ecx
+       jle     .L01            /* Bail early if the count is negative. */
        jmp     .L02
 
 .L03: