[Mesa-dev] [PATCH 1/2] glsl: fix heap-use-after-free in ast_declarator_list::hir()
Ian Romanick
idr at freedesktop.org
Thu Feb 23 01:39:40 UTC 2017
On 02/09/2017 06:23 AM, Samuel Iglesias Gonsálvez wrote:
> The get_variable_being_redeclared() function can free 'var' because
> a re-declaration of an unsized array variable can establish the size, so
> we set the array type to the 'earlier' declaration and free 'var' as it is
> not needed anymore.
>
> However, the same 'var' is referenced later in ast_declarator_list::hir().
>
> This patch fixes it by picking the ir_variable_mode from the proper
> ir_variable.
>
> This error was detected by Address Sanitizer.
>
> Signed-off-by: Samuel Iglesias Gonsálvez <siglesias at igalia.com>
> Suggested-by: Ian Romanick <ian.d.romanick at intel.com>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99677
> Cc: "17.0" <mesa-stable at lists.freedesktop.org>
Sorry for falling asleep at the wheel. Series is:
Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
I think this patch is also a candidate for 13.0.x... assuming Emil is
doing another one.
> ---
> src/compiler/glsl/ast_to_hir.cpp | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp
> index b31b61d1ed6..3613161472d 100644
> --- a/src/compiler/glsl/ast_to_hir.cpp
> +++ b/src/compiler/glsl/ast_to_hir.cpp
> @@ -5262,11 +5262,13 @@ ast_declarator_list::hir(exec_list *instructions,
> * sized by an earlier input primitive layout qualifier, when
> * present, as per the following table."
> */
> + const enum ir_variable_mode mode = (const enum ir_variable_mode)
> + (earlier == NULL ? var->data.mode : earlier->data.mode);
> const bool implicitly_sized =
> - (var->data.mode == ir_var_shader_in &&
> + (mode == ir_var_shader_in &&
> state->stage >= MESA_SHADER_TESS_CTRL &&
> state->stage <= MESA_SHADER_GEOMETRY) ||
> - (var->data.mode == ir_var_shader_out &&
> + (mode == ir_var_shader_out &&
> state->stage == MESA_SHADER_TESS_CTRL);
>
> if (t->is_unsized_array() && !implicitly_sized)
>
More information about the mesa-dev
mailing list