[Mesa-dev] [PATCH] nir/serialize: Alloc constants off the variable
Jason Ekstrand
jason at jlekstrand.net
Tue Jul 24 18:02:34 UTC 2018
nir_sweep assumes that constants area always allocated off the variable
to which they belong. Violating this assumption causes them to get
freed early and leads to use-after-free bugs.
Cc: mesa-stable at lists.freedesktop.org
---
src/compiler/nir/nir_serialize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/compiler/nir/nir_serialize.c b/src/compiler/nir/nir_serialize.c
index 6a30738c2d7..43016310048 100644
--- a/src/compiler/nir/nir_serialize.c
+++ b/src/compiler/nir/nir_serialize.c
@@ -124,7 +124,7 @@ read_constant(read_ctx *ctx, nir_variable *nvar)
blob_copy_bytes(ctx->blob, (uint8_t *)c->values, sizeof(c->values));
c->num_elements = blob_read_uint32(ctx->blob);
- c->elements = ralloc_array(ctx->nir, nir_constant *, c->num_elements);
+ c->elements = ralloc_array(nvar, nir_constant *, c->num_elements);
for (unsigned i = 0; i < c->num_elements; i++)
c->elements[i] = read_constant(ctx, nvar);
--
2.17.1
More information about the mesa-dev
mailing list