From 9729c162deb1a96455a7aaaee7f2d53486ed8428 Mon Sep 17 00:00:00 2001
From: Ramin Azarmehr <ramin.azarmehr@gmail.com>
Date: Thu, 14 Jun 2018 14:14:05 +1000
Subject: [PATCH] renderer: fix memory corruption when using glBufferSubData

Reason: the second parameter in glBufferSubData() is the offset,
but in vrend_read_from_iovec_cb() function in iov.c, the "count"
is passed to it causing to possibly write beyond the buffer boundary
(or at wrong offset).

Reviewed-by: Gert Wollny <gert.wollny@collabora.com>
[airlied: I split this bit out - bisections are a lot easier]
Reviewed-by: Dave Airlie <airlied@redhat.com>
---
 src/iov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/iov.c b/src/iov.c
index aae995b..1aa21e3 100644
--- a/src/iov.c
+++ b/src/iov.c
@@ -124,7 +124,7 @@ size_t vrend_read_from_iovec_cb(const struct iovec *iov, int iovlen,
       
       if (count < iov->iov_len - offset) len = count;
 
-      (*iocb)(cookie, count, (char*)iov->iov_base + offset, len);
+      (*iocb)(cookie, read, (char*)iov->iov_base + offset, len);
       read += len;
 
       count -= len;