From: Ian Romanick <[email protected]> Since the list pointer was never incremented when a OPCODE_PIXEL_MAP opcode was encountered, the data for the instruction would get freed over and over and over... resulting in a crash.
Fixes gl-1.0-beginend-coverage. Signed-off-by: Ian Romanick <[email protected]> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=72214 Cc: Brian Paul <[email protected]> Cc: Lu Ha <[email protected]> --- src/mesa/main/dlist.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/mesa/main/dlist.c b/src/mesa/main/dlist.c index cb40ff4..08943c9 100644 --- a/src/mesa/main/dlist.c +++ b/src/mesa/main/dlist.c @@ -767,6 +767,7 @@ _mesa_delete_list(struct gl_context *ctx, struct gl_display_list *dlist) break; case OPCODE_PIXEL_MAP: free(get_pointer(&n[3])); + n += InstSize[n[0].opcode]; break; case OPCODE_CONTINUE: -- 1.8.1.4 _______________________________________________ mesa-dev mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/mesa-dev
