Mesa (master): st_glsl_to_nir: fix potential use after free

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Wed Jun 17 01:59:51 UTC 2020 

Module: Mesa
Branch: master
Commit: b2e9d21fdd679fba80c358ed7871c30987d10e05
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=b2e9d21fdd679fba80c358ed7871c30987d10e05

Author: Timothy Arceri <tarceri at itsqueeze.com>
Date:   Tue Jun 16 09:35:09 2020 +1000

st_glsl_to_nir: fix potential use after free

When updating the shader info used by GL for the API we must
remember to make sure to restore the pointers to its own name
and label strings. There are a number of ways in which the nir
copy of these strings can be freed before GL is finished with
them.

Fixes: 36be8c2fcf94 ("st/glsl_to_nir: use nir_shader_gather_info()")
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/2875

Reviewed-by: Marek Olšák <marek.olsak at amd.com>
Reviewed-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer at amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/5488>

---

 src/mesa/state_tracker/st_glsl_to_nir.cpp | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/mesa/state_tracker/st_glsl_to_nir.cpp b/src/mesa/state_tracker/st_glsl_to_nir.cpp
index b99e8339ae0..fc3236861e2 100644
--- a/src/mesa/state_tracker/st_glsl_to_nir.cpp
+++ b/src/mesa/state_tracker/st_glsl_to_nir.cpp
@@ -80,6 +80,19 @@ st_nir_fixup_varying_slots(struct st_context *st, struct exec_list *var_list)
    }
 }
 
+static void
+st_shader_gather_info(nir_shader *nir, struct gl_program *prog)
+{
+   nir_shader_gather_info(nir, nir_shader_get_entrypoint(nir));
+
+   /* Copy the info we just generated back into the gl_program */
+   const char *prog_name = prog->info.name;
+   const char *prog_label = prog->info.label;
+   prog->info = nir->info;
+   prog->info.name = prog_name;
+   prog->info.label = prog_label;
+}
+
 /* input location assignment for VS inputs must be handled specially, so
  * that it is aligned w/ st's vbo state.
  * (This isn't the case with, for ex, FS inputs, which only need to agree
@@ -768,8 +781,7 @@ st_link_nir(struct gl_context *ctx,
       NIR_PASS_V(nir, nir_lower_system_values);
       NIR_PASS_V(nir, nir_lower_clip_cull_distance_arrays);
 
-      nir_shader_gather_info(nir, nir_shader_get_entrypoint(nir));
-      shader->Program->info = nir->info;
+      st_shader_gather_info(nir, shader->Program);
       if (shader->Stage == MESA_SHADER_VERTEX) {
          /* NIR expands dual-slot inputs out to two locations.  We need to
           * compact things back down GL-style single-slot inputs to avoid

More information about the mesa-commit mailing list