Mesa (master): mesa: fix _mesa_free_pipeline_data() use-after-free bug
Brian Paul
brianp at kemper.freedesktop.org
Fri Sep 12 15:18:35 UTC 2014
Module: Mesa
Branch: master
Commit: 0d73ac6b02cac46d4a8f3cd1ffa591e071577fa7
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=0d73ac6b02cac46d4a8f3cd1ffa591e071577fa7
Author: Brian Paul <brianp at vmware.com>
Date: Fri Sep 12 06:29:04 2014 -0600
mesa: fix _mesa_free_pipeline_data() use-after-free bug
Unreference the ctx->_Shader object before we delete all the pipeline
objects in the hash table. Before, ctx->_Shader could point to freed
memory when _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL)
was called.
Fixes crash when exiting the piglit rendezvous_by_location test on
Windows.
Cc: mesa-stable at lists.freedesktop.org
Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
---
src/mesa/main/pipelineobj.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mesa/main/pipelineobj.c b/src/mesa/main/pipelineobj.c
index 017d425..b713d95 100644
--- a/src/mesa/main/pipelineobj.c
+++ b/src/mesa/main/pipelineobj.c
@@ -120,12 +120,12 @@ delete_pipelineobj_cb(GLuint id, void *data, void *userData)
void
_mesa_free_pipeline_data(struct gl_context *ctx)
{
+ _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
+
_mesa_HashDeleteAll(ctx->Pipeline.Objects, delete_pipelineobj_cb, ctx);
_mesa_DeleteHashTable(ctx->Pipeline.Objects);
- _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
_mesa_delete_pipeline_object(ctx, ctx->Pipeline.Default);
-
}
/**
More information about the mesa-commit
mailing list