Mesa (master): mesa: check if TNL state is null in _tnl_free_vertices() to avoid potential segfault

Brian Paul brianp at kemper.freedesktop.org
Fri Feb 13 15:19:15 UTC 2009 

Module: Mesa
Branch: master
Commit: ac53b1b0345f10f988c412af528bfd38052acab5
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=ac53b1b0345f10f988c412af528bfd38052acab5

Author: Brian Paul <brianp at vmware.com>
Date:   Fri Feb 13 08:11:01 2009 -0700

mesa: check if TNL state is null in _tnl_free_vertices() to avoid potential segfault

_tnl_free_vertices() is called from several places during context tear-down.
Depending on the order in which the swrast, swrast_setup and tnl context is
destroyed we could hit a null pointer here.  This doesn't seem to be an
actual issue with any Mesa drivers, but let's be safe.

---

 src/mesa/tnl/t_vertex.c |   45 ++++++++++++++++++++++++---------------------
 1 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/src/mesa/tnl/t_vertex.c b/src/mesa/tnl/t_vertex.c
index 10b78f8..fe4209a 100644
--- a/src/mesa/tnl/t_vertex.c
+++ b/src/mesa/tnl/t_vertex.c
@@ -535,27 +535,30 @@ void _tnl_init_vertices( GLcontext *ctx,
 
 void _tnl_free_vertices( GLcontext *ctx )
 {
-   struct tnl_clipspace *vtx = GET_VERTEX_STATE(ctx);
-   struct tnl_clipspace_fastpath *fp, *tmp;
+   TNLcontext *tnl = TNL_CONTEXT(ctx);
+   if (tnl) {
+      struct tnl_clipspace *vtx = GET_VERTEX_STATE(ctx);
+      struct tnl_clipspace_fastpath *fp, *tmp;
 
-   if (vtx->vertex_buf) {
-      ALIGN_FREE(vtx->vertex_buf);
-      vtx->vertex_buf = NULL;
-   }
-   
-   for (fp = vtx->fastpath ; fp ; fp = tmp) {
-      tmp = fp->next;
-      FREE(fp->attr);
-
-      /* KW: At the moment, fp->func is constrained to be allocated by
-       * _mesa_exec_alloc(), as the hardwired fastpaths in
-       * t_vertex_generic.c are handled specially.  It would be nice
-       * to unify them, but this probably won't change until this
-       * module gets another overhaul.
-       */
-      _mesa_exec_free((void *) fp->func);
-      FREE(fp);
+      if (vtx->vertex_buf) {
+         ALIGN_FREE(vtx->vertex_buf);
+         vtx->vertex_buf = NULL;
+      }
+
+      for (fp = vtx->fastpath ; fp ; fp = tmp) {
+         tmp = fp->next;
+         FREE(fp->attr);
+
+         /* KW: At the moment, fp->func is constrained to be allocated by
+          * _mesa_exec_alloc(), as the hardwired fastpaths in
+          * t_vertex_generic.c are handled specially.  It would be nice
+          * to unify them, but this probably won't change until this
+          * module gets another overhaul.
+          */
+         _mesa_exec_free((void *) fp->func);
+         FREE(fp);
+      }
+
+      vtx->fastpath = NULL;
    }
-   
-   vtx->fastpath = NULL;
 }

More information about the mesa-commit mailing list