From 596d2ab0ade9c1712cb25a89b66c980ff0f2eb92 Mon Sep 17 00:00:00 2001
From: Mike Blumenkrantz <michael.blumenkrantz@gmail.com>
Date: Mon, 10 Jan 2022 12:07:50 -0500
Subject: [PATCH] util/vbuf: fix buffer translation sizing

the original change here attempted to fix calculating the maximum bound for the
mapped readback buffer by adding the maximum attribute size to the final element
used by readback

the calculation was erroneous, however, because it instead calculated the maximum
offset instead of the size, which would cause a different kind of overrun

Fixes: 3c5b7dca30e ("util/vbuf: fix buffer overrun in attribute conversions")

fixes #5846

Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/14479>
---
 src/gallium/auxiliary/util/u_vbuf.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/gallium/auxiliary/util/u_vbuf.c b/src/gallium/auxiliary/util/u_vbuf.c
index ce44a131080..2772acb501b 100644
--- a/src/gallium/auxiliary/util/u_vbuf.c
+++ b/src/gallium/auxiliary/util/u_vbuf.c
@@ -501,9 +501,10 @@ u_vbuf_translate_buffers(struct u_vbuf *mgr, struct translate_key *key,
              * themselves, meaning that if stride < element_size, the mapped size will
              * be too small and conversion will overrun the map buffer
              *
-             * instead, add the size of the largest possible attribute to ensure the map is large enough
+             * instead, add the size of the largest possible attribute to the final attribute's offset
+             * in order to ensure the map is large enough
              */
-            unsigned last_offset = offset + size - vb->stride;
+            unsigned last_offset = size - vb->stride;
             size = MAX2(size, last_offset + sizeof(double)*4);
          }