Mesa (master): r300: Increase reference count of texture objects referenced by current state.

Thu Apr 30 11:48:32 UTC 2009

Module: Mesa
Branch: master
Commit: c28707b50701b1cf8727be29d61e2d939c6ee58f
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=c28707b50701b1cf8727be29d61e2d939c6ee58f

Author: Michel Dänzer <daenzer at vmware.com>
Date:   Thu Apr 30 13:21:08 2009 +0200

r300: Increase reference count of texture objects referenced by current state.

Fixes a use-after-free reported in
http://bugs.freedesktop.org/show_bug.cgi?id=20539, so this possibly fixes that
bug. It has been confirmed to fix
http://bugs.freedesktop.org/show_bug.cgi?id=17895 .

---

 src/mesa/drivers/dri/r300/r300_context.h  |    2 +-
 src/mesa/drivers/dri/r300/r300_state.c    |    2 +-
 src/mesa/drivers/dri/r300/r300_texmem.c   |    5 +++--
 src/mesa/drivers/dri/r300/r300_texstate.c |   11 ++++++-----
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/mesa/drivers/dri/r300/r300_context.h b/src/mesa/drivers/dri/r300/r300_context.h
index 9c49586..96a3205 100644
--- a/src/mesa/drivers/dri/r300/r300_context.h
+++ b/src/mesa/drivers/dri/r300/r300_context.h
@@ -215,7 +215,7 @@ struct r300_tex_obj {
 };
 
 struct r300_texture_env_state {
-	r300TexObjPtr texobj;
+	struct gl_texture_object *texobj;
 	GLenum format;
 	GLenum envMode;
 };
diff --git a/src/mesa/drivers/dri/r300/r300_state.c b/src/mesa/drivers/dri/r300/r300_state.c
index 6b79aa4..79f0b36 100644
--- a/src/mesa/drivers/dri/r300/r300_state.c
+++ b/src/mesa/drivers/dri/r300/r300_state.c
@@ -1362,7 +1362,7 @@ static void r300SetupTextures(GLcontext * ctx)
 #endif
 			tmu_mappings[i] = hw_tmu;
 
-			t = r300->state.texture.unit[i].texobj;
+			t = (r300TexObjPtr) r300->state.texture.unit[i].texobj->DriverData;
 			/* XXX questionable fix for bug 9170: */
 			if (!t)
 				continue;
diff --git a/src/mesa/drivers/dri/r300/r300_texmem.c b/src/mesa/drivers/dri/r300/r300_texmem.c
index 0fe51b0..a89ab83 100644
--- a/src/mesa/drivers/dri/r300/r300_texmem.c
+++ b/src/mesa/drivers/dri/r300/r300_texmem.c
@@ -44,6 +44,7 @@ SOFTWARE.
 #include "main/colormac.h"
 #include "main/macros.h"
 #include "main/simple_list.h"
+#include "main/texobj.h"
 #include "radeon_reg.h"		/* gets definition for usleep */
 #include "r300_context.h"
 #include "r300_state.h"
@@ -71,8 +72,8 @@ void r300DestroyTexObj(r300ContextPtr rmesa, r300TexObjPtr t)
 	}
 
 	for (i = 0; i < rmesa->radeon.glCtx->Const.MaxTextureUnits; i++) {
-		if (rmesa->state.texture.unit[i].texobj == t) {
-			rmesa->state.texture.unit[i].texobj = NULL;
+		if (rmesa->state.texture.unit[i].texobj == t->base.tObj) {
+			_mesa_reference_texobj(&rmesa->state.texture.unit[i].texobj, NULL);
 		}
 	}
 }
diff --git a/src/mesa/drivers/dri/r300/r300_texstate.c b/src/mesa/drivers/dri/r300/r300_texstate.c
index cadec7f..abe613e 100644
--- a/src/mesa/drivers/dri/r300/r300_texstate.c
+++ b/src/mesa/drivers/dri/r300/r300_texstate.c
@@ -567,19 +567,20 @@ static GLboolean r300UpdateTexture(GLcontext * ctx, int unit)
 	/* Update state if this is a different texture object to last
 	 * time.
 	 */
-	if (rmesa->state.texture.unit[unit].texobj != t) {
+	if (rmesa->state.texture.unit[unit].texobj != tObj) {
 		if (rmesa->state.texture.unit[unit].texobj != NULL) {
+			r300TexObjPtr t_old = (r300TexObjPtr) rmesa->state.texture.unit[unit].texobj->DriverData;
+
 			/* The old texture is no longer bound to this texture unit.
 			 * Mark it as such.
 			 */
 
-			rmesa->state.texture.unit[unit].texobj->base.bound &=
-			    ~(1 << unit);
+			t_old->base.bound &= ~(1 << unit);
 		}
 
-		rmesa->state.texture.unit[unit].texobj = t;
+		_mesa_reference_texobj(&rmesa->state.texture.unit[unit].texobj, tObj);
 		t->base.bound |= (1 << unit);
-		driUpdateTextureLRU((driTextureObject *) t);	/* XXX: should be locked! */
+		driUpdateTextureLRU(&t->base);	/* XXX: should be locked! */
 	}
 
 	return !t->border_fallback;


