[Mesa-dev] [PATCH] glsl: fix heap-use-after-free in ast_declarator_list::hir()
Samuel Iglesias Gonsálvez
siglesias at igalia.com
Tue Feb 7 10:45:31 UTC 2017
The get_variable_being_redeclared() function can free 'var' because
a re-declaration of an unsized array variable can establish the size, so
we set the array type to the earlier declaration and free 'var' as it is
not needed anymore.
However, the same 'var' is referenced later in ast_declarator_list::hir().
This patch fixes it by assigning 'earlier' to var, as this variable is
the one we keep.
This error was detected by Address Sanitizer.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99677
Signed-off-by: Samuel Iglesias Gonsálvez <siglesias at igalia.com>
---
src/compiler/glsl/ast_to_hir.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp
index b31b61d1ed6..99b5a7957ab 100644
--- a/src/compiler/glsl/ast_to_hir.cpp
+++ b/src/compiler/glsl/ast_to_hir.cpp
@@ -3999,7 +3999,7 @@ get_variable_being_redeclared(ir_variable *var, YYLTYPE loc,
earlier->type = var->type;
delete var;
- var = NULL;
+ var = earlier;
} else if ((state->ARB_fragment_coord_conventions_enable ||
state->is_version(150, 0))
&& strcmp(var->name, "gl_FragCoord") == 0
--
2.11.0
More information about the mesa-dev
mailing list