From bfcf78c1101a1cbcdd9a479722203047c8d6c26a Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Wed, 15 Jan 2014 11:39:24 +0000 Subject: [PATCH] st/mesa: use signed temporary variable to store _ColorDrawBufferIndexes MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The temporary variable used to store _ColorDrawBufferIndexes must be signed (GLint), otherwise the following conditional will be incorrectly evaluated. Leading to crashes in the driver/mesa or accessing/writing to arbitrary memory location. The bug dates back to 2009. Cc: 10.0 9.2 9.1 Reviewed-by: Marek Olšák Signed-off-by: Emil Velikov --- src/mesa/state_tracker/st_cb_clear.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mesa/state_tracker/st_cb_clear.c b/src/mesa/state_tracker/st_cb_clear.c index 87dccee1f49..79124b3daa4 100644 --- a/src/mesa/state_tracker/st_cb_clear.c +++ b/src/mesa/state_tracker/st_cb_clear.c @@ -444,7 +444,7 @@ st_Clear(struct gl_context *ctx, GLbitfield mask) if (mask & BUFFER_BITS_COLOR) { for (i = 0; i < ctx->DrawBuffer->_NumColorDrawBuffers; i++) { - GLuint b = ctx->DrawBuffer->_ColorDrawBufferIndexes[i]; + GLint b = ctx->DrawBuffer->_ColorDrawBufferIndexes[i]; if (b >= 0 && mask & (1 << b)) { struct gl_renderbuffer *rb -- 2.30.2