[Mesa-dev] [PATCH] glsl: fix heap-use-after-free in ast_declarator_list::hir()
Bartosz Tomczyk
bartosz.tomczyk86 at gmail.com
Tue Feb 7 11:01:39 UTC 2017
Hi Samuel,
Var pointer is passed by value to get_variable_being_redeclared, so it
will not fix the issue. I thinks it should be changed to pointer to pointer.
On Tue, Feb 7, 2017 at 11:45 AM, Samuel Iglesias Gonsálvez <
siglesias at igalia.com> wrote:
> The get_variable_being_redeclared() function can free 'var' because
> a re-declaration of an unsized array variable can establish the size, so
> we set the array type to the earlier declaration and free 'var' as it is
> not needed anymore.
>
> However, the same 'var' is referenced later in ast_declarator_list::hir().
> This patch fixes it by assigning 'earlier' to var, as this variable is
> the one we keep.
>
> This error was detected by Address Sanitizer.
>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99677
> Signed-off-by: Samuel Iglesias Gonsálvez <siglesias at igalia.com>
> ---
> src/compiler/glsl/ast_to_hir.cpp | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_
> hir.cpp
> index b31b61d1ed6..99b5a7957ab 100644
> --- a/src/compiler/glsl/ast_to_hir.cpp
> +++ b/src/compiler/glsl/ast_to_hir.cpp
> @@ -3999,7 +3999,7 @@ get_variable_being_redeclared(ir_variable *var,
> YYLTYPE loc,
>
> earlier->type = var->type;
> delete var;
> - var = NULL;
> + var = earlier;
> } else if ((state->ARB_fragment_coord_conventions_enable ||
> state->is_version(150, 0))
> && strcmp(var->name, "gl_FragCoord") == 0
> --
> 2.11.0
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20170207/8576f503/attachment.html>
More information about the mesa-dev
mailing list