From 8da09e6924ca22ba7951d5a7673dfab2a711a997 Mon Sep 17 00:00:00 2001 From: Brian Paul Date: Thu, 21 May 2009 16:54:35 -0600 Subject: [PATCH] vbo: fix incorrect loop limit in bind_array_obj() The generic_array[] is 16 elements in size, but the loop was doing 32 iterations. The out of bounds array write was clobbering the following inputs[] array but as luck would have it, that didn't matter. --- src/mesa/vbo/vbo_exec_array.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/mesa/vbo/vbo_exec_array.c b/src/mesa/vbo/vbo_exec_array.c index 0e611840c2e..65fe197a4d7 100644 --- a/src/mesa/vbo/vbo_exec_array.c +++ b/src/mesa/vbo/vbo_exec_array.c @@ -118,8 +118,11 @@ static void bind_array_obj( GLcontext *ctx ) for (i = 0; i < MAX_TEXTURE_COORD_UNITS; i++) exec->array.legacy_array[VERT_ATTRIB_TEX0 + i] = &arrayObj->TexCoord[i]; - for (i = 0; i < VERT_ATTRIB_MAX; i++) + for (i = 0; i < MAX_VERTEX_ATTRIBS; i++) { + assert(i < Elements(arrayObj->VertexAttrib)); + assert(i < Elements(exec->array.generic_array)); exec->array.generic_array[i] = &arrayObj->VertexAttrib[i]; + } exec->array.array_obj = arrayObj->Name; } -- 2.30.2