From: Brian Paul Date: Thu, 21 May 2009 22:54:35 +0000 (-0600) Subject: vbo: fix incorrect loop limit in bind_array_obj() X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=8da09e6924ca22ba7951d5a7673dfab2a711a997;p=mesa.git vbo: fix incorrect loop limit in bind_array_obj() The generic_array[] is 16 elements in size, but the loop was doing 32 iterations. The out of bounds array write was clobbering the following inputs[] array but as luck would have it, that didn't matter. --- diff --git a/src/mesa/vbo/vbo_exec_array.c b/src/mesa/vbo/vbo_exec_array.c index 0e611840c2e..65fe197a4d7 100644 --- a/src/mesa/vbo/vbo_exec_array.c +++ b/src/mesa/vbo/vbo_exec_array.c @@ -118,8 +118,11 @@ static void bind_array_obj( GLcontext *ctx ) for (i = 0; i < MAX_TEXTURE_COORD_UNITS; i++) exec->array.legacy_array[VERT_ATTRIB_TEX0 + i] = &arrayObj->TexCoord[i]; - for (i = 0; i < VERT_ATTRIB_MAX; i++) + for (i = 0; i < MAX_VERTEX_ATTRIBS; i++) { + assert(i < Elements(arrayObj->VertexAttrib)); + assert(i < Elements(exec->array.generic_array)); exec->array.generic_array[i] = &arrayObj->VertexAttrib[i]; + } exec->array.array_obj = arrayObj->Name; }