Mesa (master): i915g: fix use after free

Daniel Vetter danvet at kemper.freedesktop.org
Sat Mar 12 19:44:42 UTC 2011 

Module: Mesa
Branch: master
Commit: 06713a40798d97aa520b119731418ff16a92e4ba
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=06713a40798d97aa520b119731418ff16a92e4ba

Author: Daniel Vetter <daniel.vetter at ffwll.ch>
Date:   Fri Mar 11 23:20:44 2011 +0100

i915g: fix use after free

Pipe templates should be copied if still needed after the create
call completes.

Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>

---

 src/gallium/drivers/i915/i915_context.h |    2 +-
 src/gallium/drivers/i915/i915_state.c   |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/gallium/drivers/i915/i915_context.h b/src/gallium/drivers/i915/i915_context.h
index 96abaf3..62becbc 100644
--- a/src/gallium/drivers/i915/i915_context.h
+++ b/src/gallium/drivers/i915/i915_context.h
@@ -188,7 +188,7 @@ struct i915_rasterizer_state {
    unsigned LIS7;
    unsigned sc[1];
 
-   const struct pipe_rasterizer_state *templ;
+   struct pipe_rasterizer_state templ;
 
    union { float f; unsigned u; } ds[2];
 };
diff --git a/src/gallium/drivers/i915/i915_state.c b/src/gallium/drivers/i915/i915_state.c
index a694649..4d134c1 100644
--- a/src/gallium/drivers/i915/i915_state.c
+++ b/src/gallium/drivers/i915/i915_state.c
@@ -688,7 +688,7 @@ i915_create_rasterizer_state(struct pipe_context *pipe,
 {
    struct i915_rasterizer_state *cso = CALLOC_STRUCT( i915_rasterizer_state );
 
-   cso->templ = rasterizer;
+   cso->templ = *rasterizer;
    cso->color_interp = rasterizer->flatshade ? INTERP_CONSTANT : INTERP_LINEAR;
    cso->light_twoside = rasterizer->light_twoside;
    cso->ds[0].u = _3DSTATE_DEPTH_OFFSET_SCALE;
@@ -759,7 +759,7 @@ static void i915_bind_rasterizer_state( struct pipe_context *pipe,
 
    /* pass-through to draw module */
    draw_set_rasterizer_state(i915->draw,
-                           (i915->rasterizer ? i915->rasterizer->templ : NULL),
+                           (i915->rasterizer ? &(i915->rasterizer->templ) : NULL),
                            raster);
 
    i915->dirty |= I915_NEW_RASTERIZER;

More information about the mesa-commit mailing list