diff --git a/libs/video/renderer/vulkan/render_load.c b/libs/video/renderer/vulkan/render_load.c
index 417a96086..8b3a00842 100644
--- a/libs/video/renderer/vulkan/render_load.c
+++ b/libs/video/renderer/vulkan/render_load.c
@@ -536,7 +536,7 @@ find_layout (const qfv_reference_t *ref, objstate_t *s)
 	for (uint32_t i = 0; i < li->num_sets; i++) {
 		sets[i] = find_descriptorSet (&li->sets[i], s);
 	}
-	VkPushConstantRange ranges[li->num_pushconstantranges];
+	VkPushConstantRange ranges[li->num_pushconstantranges + 1];
 	uint32_t    offset = 0;
 	for (uint32_t i = 0; i < li->num_pushconstantranges; i++) {
 		offset = parse_pushconstantrange (&ranges[i],
diff --git a/libs/video/renderer/vulkan/vulkan_bsp.c b/libs/video/renderer/vulkan/vulkan_bsp.c
index 3f4b8c0f8..e11d9425f 100644
--- a/libs/video/renderer/vulkan/vulkan_bsp.c
+++ b/libs/video/renderer/vulkan/vulkan_bsp.c
@@ -971,6 +971,13 @@ queue_faces (bsp_pass_t *pass, QFV_BspPass pass_ind,
 			}
 
 			size_t      dq_size = pass->draw_queues[dq].size;
+			// ubsan complains about a non-zero offset applied to a null
+			// pointer when both size is 0 and a is null: quite right, but
+			// when a is null, size must be 0 or there will be bigger
+			// problems. When size is 0, the array gets initialized if it's
+			// not already (ie, if a is null) then the pointer is
+			// recalculated. Thus while not quite a false-positive, it's a
+			// non-issue
 			bsp_draw_t *draw = &pass->draw_queues[dq].a[dq_size - 1];
 			if (!pass->draw_queues[dq].size
 				|| draw->tex_id != i
@@ -1336,7 +1343,10 @@ bsp_visit_world (const exprval_t **params, exprval_t *result, exprctx_t *ectx)
 		pass->position = r_refdef.frame.position;
 		pass->vis_frame = r_visstate.visframecount;
 	}
-	pass->brush = &r_refdef.worldmodel->brush;
+	pass->brush = nullptr;
+	if (r_refdef.worldmodel) {
+		pass->brush = &r_refdef.worldmodel->brush;
+	}
 
 	EntQueue_Clear (pass->entqueue);
 
diff --git a/libs/video/renderer/vulkan/vulkan_draw.c b/libs/video/renderer/vulkan/vulkan_draw.c
index a3c2d5efc..1db9b5bb2 100644
--- a/libs/video/renderer/vulkan/vulkan_draw.c
+++ b/libs/video/renderer/vulkan/vulkan_draw.c
@@ -1251,9 +1251,15 @@ Vulkan_Draw_Init (vulkan_ctx_t *ctx)
 static inline descbatch_t *
 get_desc_batch (drawframe_t *frame, int descid, uint32_t ind_count)
 {
+	// ubsan complains about a non-zero offset applied to a null pointer when
+	// both size is 0 and a is null: quite right, but when a is null, size
+	// must be 0 or there will be bigger problems. When size is 0, the array
+	// gets initialized if it's not already (ie, if a is null) then the
+	// pointer is recalculated. Thus while not quite a false-positive, it's
+	// a non-issue
 	descbatch_t *batch = &frame->quad_batch.a[frame->quad_batch.size - 1];
 	if (!frame->quad_batch.size || batch->descid != descid
-		|| ((batch->count & (0xff << 24)) != (ind_count << 24))) {
+		|| ((batch->count & (0xffu << 24)) != (ind_count << 24))) {
 		DARRAY_APPEND(&frame->quad_batch, ((descbatch_t) { .descid = descid }));
 		batch = &frame->quad_batch.a[frame->quad_batch.size - 1];
 		batch->count = ind_count << 24;