[Mesa-dev] [PATCH] glsl: fix heap-use-after-free in ast_declarator_list::hir()

Samuel Iglesias Gonsálvez siglesias at igalia.com
Tue Feb 7 11:38:14 UTC 2017 

On Tue, 2017-02-07 at 12:01 +0100, Bartosz Tomczyk wrote:
> Hi Samuel,
> Var pointer is passed by value to get_variable_being_redeclared,  so
> it will not fix the issue. I thinks it should be changed to pointer
> to pointer.
> 

Oh, you are right... what a day! :)
I am going to send a v2.
Thanks!
> On Tue, Feb 7, 2017 at 11:45 AM, Samuel Iglesias Gonsálvez <siglesias
> @igalia.com> wrote:
> > The get_variable_being_redeclared() function can free 'var' because
> > 
> > a re-declaration of an unsized array variable can establish the
> > size, so
> > 
> > we set the array type to the earlier declaration and free 'var' as
> > it is
> > 
> > not needed anymore.
> > 
> > 
> > 
> > However, the same 'var' is referenced later in
> > ast_declarator_list::hir().
> > 
> > This patch fixes it by assigning 'earlier' to var, as this variable
> > is
> > 
> > the one we keep.
> > 
> > 
> > 
> > This error was detected by Address Sanitizer.
> > 
> > 
> > 
> > Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99677
> > 
> > Signed-off-by: Samuel Iglesias Gonsálvez <siglesias at igalia.com>
> > 
> > ---
> > 
> >  src/compiler/glsl/ast_to_hir.cpp | 2 +-
> > 
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > 
> > 
> > diff --git a/src/compiler/glsl/ast_to_hir.cpp
> > b/src/compiler/glsl/ast_to_hir.cpp
> > 
> > index b31b61d1ed6..99b5a7957ab 100644
> > 
> > --- a/src/compiler/glsl/ast_to_hir.cpp
> > 
> > +++ b/src/compiler/glsl/ast_to_hir.cpp
> > 
> > @@ -3999,7 +3999,7 @@ get_variable_being_redeclared(ir_variable
> > *var, YYLTYPE loc,
> > 
> > 
> > 
> >        earlier->type = var->type;
> > 
> >        delete var;
> > 
> > -      var = NULL;
> > 
> > +      var = earlier;
> > 
> >     } else if ((state->ARB_fragment_coord_conventions_enable ||
> > 
> >                state->is_version(150, 0))
> > 
> >                && strcmp(var->name, "gl_FragCoord") == 0
> > 
> > --
> > 
> > 2.11.0
> > 
> > 
> > 
> > _______________________________________________
> > 
> > mesa-dev mailing list
> > 
> > mesa-dev at lists.freedesktop.org
> > 
> > https://lists.freedesktop.org/mailman/listinfo/mesa-dev
> > 
> > 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20170207/04f96cac/attachment-0001.html>

More information about the mesa-dev mailing list