From: Markus Fleschutz <markus.fleschutz@x-software.com>
Date: Fri, 26 Feb 2010 17:34:19 +0000 (-0700)
Subject: glx: fix incorrect array stack memory allocation
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=83f1183e769777df5ada4bf7add3390881f88d02;p=mesa.git

glx: fix incorrect array stack memory allocation

The array stack space wasn't allocated to the proper size.  Fixes out of
bounds memory writes when the client/array stack depth exceeds one.

See fd.o bug 26768.
---

diff --git a/src/glx/indirect_vertex_array.c b/src/glx/indirect_vertex_array.c
index ad9882528ff..ec0e654ceae 100644
--- a/src/glx/indirect_vertex_array.c
+++ b/src/glx/indirect_vertex_array.c
@@ -291,7 +291,8 @@ __glXInitVertexArrayState(__GLXcontext * gc)
 
    arrays->stack_index = 0;
    arrays->stack = malloc(sizeof(struct array_stack_state)
-                          * arrays->num_arrays);
+                          * arrays->num_arrays
+                          * __GL_CLIENT_ATTRIB_STACK_DEPTH);
 }