util/vbuf: fix buffer translation sizing

the original change here attempted to fix calculating the maximum bound for the mapped readback buffer by adding the maximum attribute size to the final element used by readback the calculation was erroneous, however, because it instead calculated the maximum offset instead of the size, which would cause a different kind of overrun Fixes: 3c5b7dca30 ("util/vbuf: fix buffer overrun in attribute conversions") fixes #5846 Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/14479>
2022-01-10 12:07:50 -05:00
parent 8f18c72f9a
commit 596d2ab0ad
1 changed files with 3 additions and 2 deletions
--- a/src/gallium/auxiliary/util/u_vbuf.c
+++ b/src/gallium/auxiliary/util/u_vbuf.c
@@ -501,9 +501,10 @@ u_vbuf_translate_buffers(struct u_vbuf *mgr, struct translate_key *key,
             * themselves, meaning that if stride < element_size, the mapped size will
             * be too small and conversion will overrun the map buffer
             *
-             * instead, add the size of the largest possible attribute to ensure the map is large enough
+             * instead, add the size of the largest possible attribute to the final attribute's offset
+             * in order to ensure the map is large enough
             */
-            unsigned last_offset = offset + size - vb->stride;
+            unsigned last_offset = size - vb->stride;
            size = MAX2(size, last_offset + sizeof(double)*4);
         }