[Mesa-dev] [Mesa-stable] [PATCH] mesa: fix _mesa_free_pipeline_data() use-after-free bug
Ian Romanick
idr at freedesktop.org
Fri Sep 12 07:56:24 PDT 2014
On 09/12/2014 06:12 AM, Brian Paul wrote:
> Unreference the ctx->_Shader object before we delete all the pipeline
> objects in the hash table. Before, ctx->_Shader could point to freed
> memory when _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL)
> was called.
>
> Fixes crash when exiting the piglit rendezvous_by_location test on
> Windows.
>
> Cc: mesa-stable at lists.freedesktop.org
Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
> ---
> src/mesa/main/pipelineobj.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/mesa/main/pipelineobj.c b/src/mesa/main/pipelineobj.c
> index 017d425..b713d95 100644
> --- a/src/mesa/main/pipelineobj.c
> +++ b/src/mesa/main/pipelineobj.c
> @@ -120,12 +120,12 @@ delete_pipelineobj_cb(GLuint id, void *data, void *userData)
> void
> _mesa_free_pipeline_data(struct gl_context *ctx)
> {
> + _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
> +
> _mesa_HashDeleteAll(ctx->Pipeline.Objects, delete_pipelineobj_cb, ctx);
> _mesa_DeleteHashTable(ctx->Pipeline.Objects);
>
> - _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
> _mesa_delete_pipeline_object(ctx, ctx->Pipeline.Default);
> -
> }
>
> /**
>
More information about the mesa-dev
mailing list