From 99796388db25dbe159e4306e63ad547aeeed0ee1 Mon Sep 17 00:00:00 2001
From: Tobin Ehlis <tobin@lunarg.com>
Date: Wed, 25 Feb 2015 16:34:54 -0700
Subject: layers: Fix DrawState buffer over-run when clearing descriptors

---
 layers/draw_state.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/layers/draw_state.c b/layers/draw_state.c
index 7e6d15b2..0b7bfc78 100644
--- a/layers/draw_state.c
+++ b/layers/draw_state.c
@@ -936,6 +936,7 @@ static void dsUpdate(XGL_DESCRIPTOR_SET ds, GENERIC_HEADER* pUpdateChain)
                         pSet->pUpdateStructs = pNewNode;
                         // Now update appropriate descriptor(s) to point to new Update node
                         for (uint32_t i = getUpdateIndex(pUpdates); i < getUpdateUpperBound(pUpdates); i++) {
+                            assert(i<pSet->descriptorCount);
                             pSet->ppDescriptors[i] = pNewNode;
                         }
                     }
@@ -954,7 +955,7 @@ static void freeShadowUpdateTree(SET_NODE* pSet)
     pSet->pUpdateStructs = NULL;
     GENERIC_HEADER* pFreeUpdate = pShadowUpdate;
     // Clear the descriptor mappings as they will now be invalid
-    memset(pSet->ppDescriptors, 0, pSet->descriptorCount*sizeof(GENERIC_HEADER));
+    memset(pSet->ppDescriptors, 0, pSet->descriptorCount*sizeof(GENERIC_HEADER*));
     while(pShadowUpdate) {
         pFreeUpdate = pShadowUpdate;
         pShadowUpdate = (GENERIC_HEADER*)pShadowUpdate->pNext;
-- 
cgit v1.2.3