[Mesa-dev] [PATCH] Bug 44205 - read from pointer after free

[Ian Romanick]

On 01/03/2012 06:36 PM, Anuj Phogat wrote:
> Coverity reported a read from pointer after free defect in
> src/mesa/drivers/dri/intel/intel_mipmap_tree.c
> In intel_miptree_all_slices_resolve() function, i = i->next was
> executing after freeing i. I have defined a temporary variable
> (next) to store the value of i->next before freeing i
>
> Reported-by: Vinson Lee<vlee at vmware.com>
> Signed-off-by: Anuj Phogat<anuj.phogat at gmail.com>

I suggest changing the short commit message to "Don't read node next 
pointer after freeing node" and adding

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=44205

to the commit message.  Then it's

Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>

> ---
>   src/mesa/drivers/dri/intel/intel_mipmap_tree.c |    5 +++--
>   1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
> index 60cc694..7787c1a 100644
> --- a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
> +++ b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
> @@ -640,12 +640,13 @@ intel_miptree_all_slices_resolve(struct intel_context *intel,
>   				 resolve_func_t func)
>   {
>      bool did_resolve = false;
> -   struct intel_resolve_map *i;
> +   struct intel_resolve_map *i, *next;
>
> -   for (i = mt->hiz_map.next; i; i = i->next) {
> +   for (i = mt->hiz_map.next; i; i = next) {
>         if (i->need != need)
>   	 continue;
>         func(intel, mt, i->level, i->layer);
> +      next = i->next;
>         intel_resolve_map_remove(i);
>         did_resolve = true;
>      }