Mesa (10.2): glsl: fix use-after free bug/crash in ast_declarator_list:: hir()
Ian Romanick
idr at kemper.freedesktop.org
Thu May 29 23:02:05 UTC 2014
Module: Mesa
Branch: 10.2
Commit: 55b9effa4a23755232e433d3da4f422a1f74fd82
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=55b9effa4a23755232e433d3da4f422a1f74fd82
Author: Brian Paul <brianp at vmware.com>
Date: Fri May 23 14:59:33 2014 -0600
glsl: fix use-after free bug/crash in ast_declarator_list::hir()
The call to get_variable_being_redeclared() may delete 'var' so we
can't reference var->name afterward. We fix that by examining the
var's name before making that call.
Fixes valgrind warnings and possible crash when running the piglit
tests/spec/glsl-1.30/execution/clipping/vs-clip-distance-in-param.shader_test
test (and probably others).
Cc: "10.1 10.2" <mesa-stable at lists.freedesktop.org>
Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
(cherry picked from commit f9cecca7a6e3d9ff231075381b88d179e153a5a4)
---
src/glsl/ast_to_hir.cpp | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/glsl/ast_to_hir.cpp b/src/glsl/ast_to_hir.cpp
index 7516c33..332f934 100644
--- a/src/glsl/ast_to_hir.cpp
+++ b/src/glsl/ast_to_hir.cpp
@@ -3652,11 +3652,15 @@ ast_declarator_list::hir(exec_list *instructions,
* instruction stream.
*/
exec_list initializer_instructions;
+
+ /* Examine var name here since var may get deleted in the next call */
+ bool var_is_gl_id = (strncmp(var->name, "gl_", 3) == 0);
+
ir_variable *earlier =
get_variable_being_redeclared(var, decl->get_location(), state,
false /* allow_all_redeclarations */);
if (earlier != NULL) {
- if (strncmp(var->name, "gl_", 3) == 0 &&
+ if (var_is_gl_id &&
earlier->data.how_declared == ir_var_declared_in_block) {
_mesa_glsl_error(&loc, state,
"`%s' has already been redeclared using "
More information about the mesa-commit
mailing list