From 97532db988f55743d498a1fe3f9e30f9cb549b2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Ol=C5=A1=C3=A1k?= <marek.olsak@amd.com>
Date: Tue, 9 Jan 2024 03:19:54 -0500
Subject: [PATCH] glthread: fix multi draws with a negative draw count

This fixes the invalid pointers when draw_count is invalid.
I don't know if it had any adverse affect.

Acked-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27350>
---
 src/mesa/main/glthread_draw.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/mesa/main/glthread_draw.c b/src/mesa/main/glthread_draw.c
index 7c5a48d6f9a..889cb6a176a 100644
--- a/src/mesa/main/glthread_draw.c
+++ b/src/mesa/main/glthread_draw.c
@@ -481,13 +481,14 @@ _mesa_unmarshal_MultiDrawArraysUserBuf(struct gl_context *ctx,
 {
    const GLenum mode = cmd->mode;
    const GLsizei draw_count = cmd->draw_count;
+   const GLsizei real_draw_count = MAX2(draw_count, 0);
    const GLuint user_buffer_mask = cmd->user_buffer_mask;
 
    const char *variable_data = (const char *)(cmd + 1);
    const GLint *first = (GLint *)variable_data;
-   variable_data += sizeof(GLint) * draw_count;
+   variable_data += sizeof(GLint) * real_draw_count;
    const GLsizei *count = (GLsizei *)variable_data;
-   variable_data += sizeof(GLsizei) * draw_count;
+   variable_data += sizeof(GLsizei) * real_draw_count;
    const struct glthread_attrib_binding *buffers =
       (const struct glthread_attrib_binding *)variable_data;
 
@@ -897,18 +898,19 @@ _mesa_unmarshal_MultiDrawElementsUserBuf(struct gl_context *ctx,
                                          const struct marshal_cmd_MultiDrawElementsUserBuf *restrict cmd)
 {
    const GLsizei draw_count = cmd->draw_count;
+   const GLsizei real_draw_count = MAX2(draw_count, 0);
    const GLuint user_buffer_mask = cmd->user_buffer_mask;
    const bool has_base_vertex = cmd->has_base_vertex;
 
    const char *variable_data = (const char *)(cmd + 1);
    const GLsizei *count = (GLsizei *)variable_data;
-   variable_data += sizeof(GLsizei) * draw_count;
+   variable_data += sizeof(GLsizei) * real_draw_count;
    const GLvoid *const *indices = (const GLvoid *const *)variable_data;
-   variable_data += sizeof(const GLvoid *const *) * draw_count;
+   variable_data += sizeof(const GLvoid *const *) * real_draw_count;
    const GLsizei *basevertex = NULL;
    if (has_base_vertex) {
       basevertex = (GLsizei *)variable_data;
-      variable_data += sizeof(GLsizei) * draw_count;
+      variable_data += sizeof(GLsizei) * real_draw_count;
    }
    const struct glthread_attrib_binding *buffers =
       (const struct glthread_attrib_binding *)variable_data;