From: Vadim Girlin <vadimgirlin@gmail.com>
Date: Mon, 4 Jul 2011 14:30:42 +0000 (+0400)
Subject: r600g: fix buffer overflow check in r600_query_begin
X-Git-Tag: 062012170305~5030
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6bde225b8b5791588837295b3b89ac132095a6f7;p=profile%2Fivi%2Fmesa.git

r600g: fix buffer overflow check in r600_query_begin
---

diff --git a/src/gallium/winsys/r600/drm/r600_hw_context.c b/src/gallium/winsys/r600/drm/r600_hw_context.c
index 81e26f6..633cd35 100644
--- a/src/gallium/winsys/r600/drm/r600_hw_context.c
+++ b/src/gallium/winsys/r600/drm/r600_hw_context.c
@@ -1725,7 +1725,7 @@ static boolean r600_query_result(struct r600_context *ctx, struct r600_query *qu
 
 void r600_query_begin(struct r600_context *ctx, struct r600_query *query)
 {
-	unsigned required_space;
+	unsigned required_space, required_buffer;
 	int num_backends = r600_get_num_backends(ctx->radeon);
 
 	/* query request needs 6/8 dwords for begin + 6/8 dwords for end */
@@ -1739,8 +1739,11 @@ void r600_query_begin(struct r600_context *ctx, struct r600_query *query)
 		r600_context_flush(ctx);
 	}
 
+	required_buffer = query->num_results +
+		4 * (query->type == PIPE_QUERY_OCCLUSION_COUNTER ? ctx->max_db : 1);
+
 	/* if query buffer is full force a flush */
-	if (query->num_results*4 >= query->buffer_size - 16) {
+	if (required_buffer*4 > query->buffer_size) {
 		if (!(query->state & R600_QUERY_STATE_FLUSHED))
 			r600_context_flush(ctx);
 		r600_query_result(ctx, query, TRUE);