[Mesa-dev] [PATCH] glsl: fix heap-use-after-free in ast_declarator_list::hir()

Bartosz Tomczyk bartosz.tomczyk86 at gmail.com
Tue Feb 7 11:25:16 UTC 2017 

Yep, it's pointer but should be "pointer to pointer" (**var). Changing var
inside get_variable_being_redeclared function, doesn't change it's value
outside this function. But maybe I'm missing something.

On Tue, Feb 7, 2017 at 12:11 PM, Samuel Iglesias Gonsálvez <
siglesias at igalia.com> wrote:

> On Tue, 2017-02-07 at 12:01 +0100, Bartosz Tomczyk wrote:
> > Hi Samuel,
> >
> > Var pointer is passed by value to get_variable_being_redeclared,  so
> > it will not fix the issue. I thinks it should be changed to pointer
> > to pointer.
> >
>
> It is already a pointer. See get_variable_being_redeclared() signature:
>
> static ir_variable *
> get_variable_being_redeclared(ir_variable *var, YYLTYPE loc,
>                               struct _mesa_glsl_parse_state *state,
>                               bool allow_all_redeclarations)
>
> Sam
>
> > On Tue, Feb 7, 2017 at 11:45 AM, Samuel Iglesias Gonsálvez
> > <siglesias at igalia.com> wrote:
> > > The get_variable_being_redeclared() function can free 'var' because
> > > a re-declaration of an unsized array variable can establish the
> > > size, so
> > > we set the array type to the earlier declaration and free 'var' as
> > > it is
> > > not needed anymore.
> > >
> > > However, the same 'var' is referenced later in
> > > ast_declarator_list::hir().
> > > This patch fixes it by assigning 'earlier' to var, as this variable
> > > is
> > > the one we keep.
> > >
> > > This error was detected by Address Sanitizer.
> > >
> > > Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99677
> > > Signed-off-by: Samuel Iglesias Gonsálvez <siglesias at igalia.com>
> > > ---
> > >  src/compiler/glsl/ast_to_hir.cpp | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/src/compiler/glsl/ast_to_hir.cpp
> > > b/src/compiler/glsl/ast_to_hir.cpp
> > > index b31b61d1ed6..99b5a7957ab 100644
> > > --- a/src/compiler/glsl/ast_to_hir.cpp
> > > +++ b/src/compiler/glsl/ast_to_hir.cpp
> > > @@ -3999,7 +3999,7 @@ get_variable_being_redeclared(ir_variable
> > > *var, YYLTYPE loc,
> > >
> > >        earlier->type = var->type;
> > >        delete var;
> > > -      var = NULL;
> > > +      var = earlier;
> > >     } else if ((state->ARB_fragment_coord_conventions_enable ||
> > >                state->is_version(150, 0))
> > >                && strcmp(var->name, "gl_FragCoord") == 0
> > > --
> > > 2.11.0
> > >
> > > _______________________________________________
> > > mesa-dev mailing list
> > > mesa-dev at lists.freedesktop.org
> > > https://lists.freedesktop.org/mailman/listinfo/mesa-dev
> > >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20170207/7440109b/attachment.html>

More information about the mesa-dev mailing list