From e4a31a85379d22cd4f14447aac6539f8b0cdc83a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Ol=C5=A1=C3=A1k?= <maraeo@gmail.com>
Date: Wed, 27 Mar 2013 02:19:47 +0100
Subject: [PATCH] mesa: fix use-after-free with a stale pointer in _DrawArrays

It's okay for _DrawArray to be NULL.
---
 src/mesa/main/arrayobj.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/mesa/main/arrayobj.c b/src/mesa/main/arrayobj.c
index ac3e7e6..0d61eb3 100644
--- a/src/mesa/main/arrayobj.c
+++ b/src/mesa/main/arrayobj.c
@@ -113,7 +113,12 @@ _mesa_new_array_object( struct gl_context *ctx, GLuint name )
 void
 _mesa_delete_array_object( struct gl_context *ctx, struct gl_array_object *obj )
 {
-   (void) ctx;
+   /* Set _DrawArrays to NULL if it points to this vertex array object. */
+   if (ctx->Array._DrawArrays[0] >= &obj->VertexAttrib[0] &&
+       ctx->Array._DrawArrays[0] < &obj->VertexAttrib[VERT_ATTRIB_MAX]) {
+      ctx->Array._DrawArrays = NULL;
+   }
+
    unbind_array_object_vbos(ctx, obj);
    _mesa_reference_buffer_object(ctx, &obj->ElementArrayBufferObj, NULL);
    _glthread_DESTROY_MUTEX(obj->Mutex);
-- 
1.7.10.4