[Mesa-dev] [Mesa-stable] [PATCH] mesa: fix _mesa_free_pipeline_data() use-after-free bug

Ian Romanick idr at freedesktop.org
Fri Sep 12 07:56:24 PDT 2014


On 09/12/2014 06:12 AM, Brian Paul wrote:
> Unreference the ctx->_Shader object before we delete all the pipeline
> objects in the hash table.  Before, ctx->_Shader could point to freed
> memory when _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL)
> was called.
> 
> Fixes crash when exiting the piglit rendezvous_by_location test on
> Windows.
> 
> Cc: mesa-stable at lists.freedesktop.org

Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>

> ---
>  src/mesa/main/pipelineobj.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/mesa/main/pipelineobj.c b/src/mesa/main/pipelineobj.c
> index 017d425..b713d95 100644
> --- a/src/mesa/main/pipelineobj.c
> +++ b/src/mesa/main/pipelineobj.c
> @@ -120,12 +120,12 @@ delete_pipelineobj_cb(GLuint id, void *data, void *userData)
>  void
>  _mesa_free_pipeline_data(struct gl_context *ctx)
>  {
> +   _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
> +
>     _mesa_HashDeleteAll(ctx->Pipeline.Objects, delete_pipelineobj_cb, ctx);
>     _mesa_DeleteHashTable(ctx->Pipeline.Objects);
>  
> -   _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
>     _mesa_delete_pipeline_object(ctx, ctx->Pipeline.Default);
> -
>  }
>  
>  /**
> 



More information about the mesa-dev mailing list