[Mesa-dev] [PATCH] Bug 44205 - read from pointer after free

[Anuj Phogat]

On Tue 03 Jan 2012 07:14:09 PM PST, Ian Romanick wrote:
> On 01/03/2012 06:36 PM, Anuj Phogat wrote:
>> Coverity reported a read from pointer after free defect in
>> src/mesa/drivers/dri/intel/intel_mipmap_tree.c
>> In intel_miptree_all_slices_resolve() function, i = i->next was
>> executing after freeing i. I have defined a temporary variable
>> (next) to store the value of i->next before freeing i
>>
>> Reported-by: Vinson Lee<vlee at vmware.com>
>> Signed-off-by: Anuj Phogat<anuj.phogat at gmail.com>
>
> I suggest changing the short commit message to "Don't read node next
> pointer after freeing node" and adding
>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=44205
>
> to the commit message.  Then it's
>
> Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
Ian, I pushed the changes before seeing you e-mail with a modified 
commit message:

    Fix read from pointer after free
    
    Coverity reported a read from pointer after free defect in
    src/mesa/drivers/dri/intel/intel_mipmap_tree.c. Bug# 44205
    In intel_miptree_all_slices_resolve() function, i = i->next was
    executing after freeing i. I have defined a temporary variable
    (next) to store the value of i->next before freeing i

Thanks
Anuj