[Mesa-dev] [Mesa-stable] [PATCH] nir/serialize: Alloc constants off the variable

Mark Janes mark.a.janes at intel.com
Tue Jul 24 19:21:31 UTC 2018


Please add the bugzilla reference for 107366

Tested-by: Mark Janes <mark.a.janes at intel.com>

Jason Ekstrand <jason at jlekstrand.net> writes:

> nir_sweep assumes that constants area always allocated off the variable
> to which they belong.  Violating this assumption causes them to get
> freed early and leads to use-after-free bugs.
>
> Cc: mesa-stable at lists.freedesktop.org
> ---
>  src/compiler/nir/nir_serialize.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/compiler/nir/nir_serialize.c b/src/compiler/nir/nir_serialize.c
> index 6a30738c2d7..43016310048 100644
> --- a/src/compiler/nir/nir_serialize.c
> +++ b/src/compiler/nir/nir_serialize.c
> @@ -124,7 +124,7 @@ read_constant(read_ctx *ctx, nir_variable *nvar)
>  
>     blob_copy_bytes(ctx->blob, (uint8_t *)c->values, sizeof(c->values));
>     c->num_elements = blob_read_uint32(ctx->blob);
> -   c->elements = ralloc_array(ctx->nir, nir_constant *, c->num_elements);
> +   c->elements = ralloc_array(nvar, nir_constant *, c->num_elements);
>     for (unsigned i = 0; i < c->num_elements; i++)
>        c->elements[i] = read_constant(ctx, nvar);
>  
> -- 
> 2.17.1
>
> _______________________________________________
> mesa-stable mailing list
> mesa-stable at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-stable


More information about the mesa-dev mailing list