[Mesa-dev] [PATCH 3/3] st/mesa: fix context use-after-free problem in st_renderbuffer_delete()
Jose Fonseca
jfonseca at vmware.com
Fri Nov 30 10:54:16 PST 2012
Series looks good to me.
Jose
----- Original Message -----
> The use-after-free happened when the renderbuffer was shared by
> multiple
> contexts and we tried to delete the renderbuffer using a context
> which
> was previously deleted.
>
> Note: this is a candidate for the stable branches.
> ---
> src/mesa/state_tracker/st_cb_fbo.c | 8 +++++---
> 1 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/mesa/state_tracker/st_cb_fbo.c
> b/src/mesa/state_tracker/st_cb_fbo.c
> index 05a1dc6..04907c9 100644
> --- a/src/mesa/state_tracker/st_cb_fbo.c
> +++ b/src/mesa/state_tracker/st_cb_fbo.c
> @@ -228,8 +228,10 @@ static void
> st_renderbuffer_delete(struct gl_context *ctx, struct
> gl_renderbuffer *rb)
> {
> struct st_renderbuffer *strb = st_renderbuffer(rb);
> - ASSERT(strb);
> - pipe_surface_reference(&strb->surface, NULL);
> + struct st_context *st = st_context(ctx);
> + struct pipe_context *pipe = st->pipe;
> +
> + pipe_surface_release(pipe, &strb->surface);
> pipe_resource_reference(&strb->texture, NULL);
> free(strb->data);
> _mesa_delete_renderbuffer(ctx, rb);
> @@ -434,7 +436,7 @@ st_render_texture(struct gl_context *ctx,
>
> pipe_resource_reference( &strb->texture, pt );
>
> - pipe_surface_reference(&strb->surface, NULL);
> + pipe_surface_release(pipe, &strb->surface);
>
> assert(strb->rtt_level <= strb->texture->last_level);
>
> --
> 1.7.3.4
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev
>
More information about the mesa-dev
mailing list