mesa: Increment the list pointer while freeing instruction data

Since the list pointer was never incremented when a OPCODE_PIXEL_MAP
opcode was encountered, the data for the instruction would get freed
over and over and over... resulting in a crash.

Fixes gl-1.0-beginend-coverage.

Signed-off-by: Ian Romanick <ian.d.romanick@intel.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=72214
Reviewed-by: Brian Paul <brianp@vmware.com>
Cc: Lu Ha <huax.lu@intel.com>

diff --git a/src/mesa/main/dlist.c b/src/mesa/main/dlist.c
index cb40ff4db885c166df634fb48bac7cf9bde090c8..08943c9f9b0ad384ec863acff50351d71d11b837 100644 (file)
--- a/src/mesa/main/dlist.c
+++ b/src/mesa/main/dlist.c
@@ -767,6 +767,7 @@ _mesa_delete_list(struct gl_context *ctx, struct gl_display_list *dlist)
             break;
          case OPCODE_PIXEL_MAP:
             free(get_pointer(&n[3]));
+            n += InstSize[n[0].opcode];
             break;
 
          case OPCODE_CONTINUE: