st/mesa: trim calculated userbuffer size

In get_array_bounds we were previously defining a user buffer sized as
(nr_vertices * stride).  The trouble is that if the vertex data
occupies less than stride bytes, the extra tailing (stride - size)
bytes may extend outside the memory actually allocated by the app and
caused a segfault.

To fix this, define a the buffer bounds to be:

   ptr .. ptr + (nr-1)*stride + element_size

diff --git a/src/mesa/state_tracker/st_draw.c b/src/mesa/state_tracker/st_draw.c
index 225541a..11699d5 100644 (file)
--- a/src/mesa/state_tracker/st_draw.c
+++ b/src/mesa/state_tracker/st_draw.c
@@ -317,23 +317,29 @@ get_arrays_bounds(const struct st_vertex_program *vp,
                        const GLubyte **low, const GLubyte **high)
 {
    const GLubyte *low_addr = NULL;
+   const GLubyte *high_addr = NULL;
    GLuint attr;
-   GLint stride;
 
    for (attr = 0; attr < vp->num_inputs; attr++) {
       const GLuint mesaAttr = vp->index_to_input[attr];
+      const GLint stride = arrays[mesaAttr]->StrideB;
       const GLubyte *start = arrays[mesaAttr]->Ptr;
-      stride = arrays[mesaAttr]->StrideB;
+      const unsigned sz = (arrays[mesaAttr]->Size * 
+                           _mesa_sizeof_type(arrays[mesaAttr]->Type));
+      const GLubyte *end = start + (max_index * stride) + sz;
+
       if (attr == 0) {
          low_addr = start;
+         high_addr = end;
       }
       else {
          low_addr = MIN2(low_addr, start);
+         high_addr = MAX2(high_addr, end);
       }
    }
 
    *low = low_addr;
-   *high = low_addr + (max_index + 1) * stride;
+   *high = high_addr;
 }