From 45b64e52f4df49ac01ac100fba2c01633d492a6d Mon Sep 17 00:00:00 2001 From: Ilia Mirkin Date: Wed, 22 Jan 2014 21:30:07 -0500 Subject: [PATCH] util/u_vbuf: correct map offset calculation for crazy offsets MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When the min_index is very large (or very negative), the multipliation can overflow 32 bits and result in an incorrect map pointer modification. Signed-off-by: Ilia Mirkin Reviewed-by: Marek Olšák --- src/gallium/auxiliary/util/u_vbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gallium/auxiliary/util/u_vbuf.c b/src/gallium/auxiliary/util/u_vbuf.c index 52b360ed7aa..0c9c349e00e 100644 --- a/src/gallium/auxiliary/util/u_vbuf.c +++ b/src/gallium/auxiliary/util/u_vbuf.c @@ -370,7 +370,7 @@ u_vbuf_translate_buffers(struct u_vbuf *mgr, struct translate_key *key, /* Subtract min_index so that indexing with the index buffer works. */ if (unroll_indices) { - map -= vb->stride * min_index; + map -= (ptrdiff_t)vb->stride * min_index; } tr->set_buffer(tr, i, map, vb->stride, ~0); -- 2.30.2