When the min_index is very large (or very negative), the multipliation can overflow 32 bits and result in an incorrect map pointer modification.
Signed-off-by: Ilia Mirkin <[email protected]> --- I tested this by setting PIPE_CAP_USER_*_BUFFERS to 0 on nv50, and hacking the logic to say that unroll_indices = true, running with the draw-elements-base-vertex-neg user_varrays test. src/gallium/auxiliary/util/u_vbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gallium/auxiliary/util/u_vbuf.c b/src/gallium/auxiliary/util/u_vbuf.c index 52b360e..0c9c349 100644 --- a/src/gallium/auxiliary/util/u_vbuf.c +++ b/src/gallium/auxiliary/util/u_vbuf.c @@ -370,7 +370,7 @@ u_vbuf_translate_buffers(struct u_vbuf *mgr, struct translate_key *key, /* Subtract min_index so that indexing with the index buffer works. */ if (unroll_indices) { - map -= vb->stride * min_index; + map -= (ptrdiff_t)vb->stride * min_index; } tr->set_buffer(tr, i, map, vb->stride, ~0); -- 1.8.3.2 _______________________________________________ mesa-dev mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/mesa-dev
