[Mesa-dev] [PATCH] mesa: fix _mesa_free_pipeline_data() use-after-free bug
Brian Paul
brianp at vmware.com
Fri Sep 12 06:12:27 PDT 2014
Unreference the ctx->_Shader object before we delete all the pipeline
objects in the hash table. Before, ctx->_Shader could point to freed
memory when _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL)
was called.
Fixes crash when exiting the piglit rendezvous_by_location test on
Windows.
Cc: mesa-stable at lists.freedesktop.org
---
src/mesa/main/pipelineobj.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mesa/main/pipelineobj.c b/src/mesa/main/pipelineobj.c
index 017d425..b713d95 100644
--- a/src/mesa/main/pipelineobj.c
+++ b/src/mesa/main/pipelineobj.c
@@ -120,12 +120,12 @@ delete_pipelineobj_cb(GLuint id, void *data, void *userData)
void
_mesa_free_pipeline_data(struct gl_context *ctx)
{
+ _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
+
_mesa_HashDeleteAll(ctx->Pipeline.Objects, delete_pipelineobj_cb, ctx);
_mesa_DeleteHashTable(ctx->Pipeline.Objects);
- _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
_mesa_delete_pipeline_object(ctx, ctx->Pipeline.Default);
-
}
/**
--
1.7.10.4
More information about the mesa-dev
mailing list