[Mesa-dev] [PATCH 1/2] glsl: fix use-after free bug/crash in ast_declarator_list::hir()
Ian Romanick
idr at freedesktop.org
Wed May 28 10:21:36 PDT 2014
On 05/23/2014 02:22 PM, Brian Paul wrote:
> The call to get_variable_being_redeclared() may delete 'var' so we
> can't reference var->name afterward. We fix that by examining the
> var's name before making that call.
>
> Fixes valgrind warnings and possible crash when running the piglit
> tests/spec/glsl-1.30/execution/clipping/vs-clip-distance-in-param.shader_test
> test (and probably others).
>
> Cc: "10.1 10.2" <mesa-stable at lists.freedesktop.org>
> ---
> src/glsl/ast_to_hir.cpp | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/src/glsl/ast_to_hir.cpp b/src/glsl/ast_to_hir.cpp
> index 0128b3f..e06f9b4 100644
> --- a/src/glsl/ast_to_hir.cpp
> +++ b/src/glsl/ast_to_hir.cpp
> @@ -3651,11 +3651,15 @@ ast_declarator_list::hir(exec_list *instructions,
> * instruction stream.
> */
> exec_list initializer_instructions;
> +
> + /* Examine var name here since var may get deleted in the next call */
> + bool var_is_gl_id = (strncmp(var->name, "gl_", 3) == 0);
> +
> ir_variable *earlier =
> get_variable_being_redeclared(var, decl->get_location(), state,
> false /* allow_all_redeclarations */);
> if (earlier != NULL) {
> - if (strncmp(var->name, "gl_", 3) == 0 &&
> + if (var_is_gl_id &&
I think this could also be
if (strncmp(earlier->name, "gl_", 3) == 0 &&
since var and earlier are supposed to be the same variable. Either way,
Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
> earlier->data.how_declared == ir_var_declared_in_block) {
> _mesa_glsl_error(&loc, state,
> "`%s' has already been redeclared using "
>
More information about the mesa-dev
mailing list