Mesa (mesa_7_4_branch): r300: Increase reference count of texture objects referenced by current state.

Thu Apr 30 12:08:33 UTC 2009

Module: Mesa
Branch: mesa_7_4_branch
Commit: a1ce4efefbb7f796a0a24544a1e893a56848f0c1
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=a1ce4efefbb7f796a0a24544a1e893a56848f0c1

Author: Michel Dänzer <daenzer at vmware.com>
Date:   Thu Apr 30 13:21:08 2009 +0200

r300: Increase reference count of texture objects referenced by current state.

Fixes a use-after-free reported in
http://bugs.freedesktop.org/show_bug.cgi?id=20539, so this possibly fixes that
bug. It has been confirmed to fix
http://bugs.freedesktop.org/show_bug.cgi?id=17895 .
(cherry picked from commit c28707b50701b1cf8727be29d61e2d939c6ee58f)

---

 src/mesa/drivers/dri/r300/r300_context.h  |    2 +-
 src/mesa/drivers/dri/r300/r300_state.c    |    2 +-
 src/mesa/drivers/dri/r300/r300_texmem.c   |    5 +++--
 src/mesa/drivers/dri/r300/r300_texstate.c |   11 ++++++-----
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/mesa/drivers/dri/r300/r300_context.h b/src/mesa/drivers/dri/r300/r300_context.h
index c15e9fa..4a877ed 100644
--- a/src/mesa/drivers/dri/r300/r300_context.h
+++ b/src/mesa/drivers/dri/r300/r300_context.h
@@ -211,7 +211,7 @@ struct r300_tex_obj {
 };
 
 struct r300_texture_env_state {
-	r300TexObjPtr texobj;
+	struct gl_texture_object *texobj;
 	GLenum format;
 	GLenum envMode;
 };
diff --git a/src/mesa/drivers/dri/r300/r300_state.c b/src/mesa/drivers/dri/r300/r300_state.c
index b756d1c..de4063a 100644
--- a/src/mesa/drivers/dri/r300/r300_state.c
+++ b/src/mesa/drivers/dri/r300/r300_state.c
@@ -1487,7 +1487,7 @@ static void r300SetupTextures(GLcontext * ctx)
 #endif
 			tmu_mappings[i] = hw_tmu;
 
-			t = r300->state.texture.unit[i].texobj;
+			t = (r300TexObjPtr) r300->state.texture.unit[i].texobj->DriverData;
 			/* XXX questionable fix for bug 9170: */
 			if (!t)
 				continue;
diff --git a/src/mesa/drivers/dri/r300/r300_texmem.c b/src/mesa/drivers/dri/r300/r300_texmem.c
index b03eefa..8d7889e 100644
--- a/src/mesa/drivers/dri/r300/r300_texmem.c
+++ b/src/mesa/drivers/dri/r300/r300_texmem.c
@@ -44,6 +44,7 @@ SOFTWARE.
 #include "main/colormac.h"
 #include "main/macros.h"
 #include "main/simple_list.h"
+#include "main/texobj.h"
 #include "radeon_reg.h"		/* gets definition for usleep */
 #include "r300_context.h"
 #include "r300_state.h"
@@ -71,8 +72,8 @@ void r300DestroyTexObj(r300ContextPtr rmesa, r300TexObjPtr t)
 	}
 
 	for (i = 0; i < rmesa->radeon.glCtx->Const.MaxTextureUnits; i++) {
-		if (rmesa->state.texture.unit[i].texobj == t) {
-			rmesa->state.texture.unit[i].texobj = NULL;
+		if (rmesa->state.texture.unit[i].texobj == t->base.tObj) {
+			_mesa_reference_texobj(&rmesa->state.texture.unit[i].texobj, NULL);
 		}
 	}
 }
diff --git a/src/mesa/drivers/dri/r300/r300_texstate.c b/src/mesa/drivers/dri/r300/r300_texstate.c
index e2329f0..ccfeb10 100644
--- a/src/mesa/drivers/dri/r300/r300_texstate.c
+++ b/src/mesa/drivers/dri/r300/r300_texstate.c
@@ -567,19 +567,20 @@ static GLboolean r300UpdateTexture(GLcontext * ctx, int unit)
 	/* Update state if this is a different texture object to last
 	 * time.
 	 */
-	if (rmesa->state.texture.unit[unit].texobj != t) {
+	if (rmesa->state.texture.unit[unit].texobj != tObj) {
 		if (rmesa->state.texture.unit[unit].texobj != NULL) {
+			r300TexObjPtr t_old = (r300TexObjPtr) rmesa->state.texture.unit[unit].texobj->DriverData;
+
 			/* The old texture is no longer bound to this texture unit.
 			 * Mark it as such.
 			 */
 
-			rmesa->state.texture.unit[unit].texobj->base.bound &=
-			    ~(1 << unit);
+			t_old->base.bound &= ~(1 << unit);
 		}
 
-		rmesa->state.texture.unit[unit].texobj = t;
+		_mesa_reference_texobj(&rmesa->state.texture.unit[unit].texobj, tObj);
 		t->base.bound |= (1 << unit);
-		driUpdateTextureLRU((driTextureObject *) t);	/* XXX: should be locked! */
+		driUpdateTextureLRU(&t->base);	/* XXX: should be locked! */
 	}
 
 	return !t->border_fallback;


