[virglrenderer-devel] [PATCH] vrend: Fix use-after-free in bound programs

[Stéphane Marchesin]

If we bind a GL program with a given id, then destroy the program and
its id, then immediately create another program which ends up with
the same id, we won't be able to tell that a new program needs to be
bound, and we will access freed data. This results in funny crashes.

We fix this by setting the program to 0 when a different shader is
being bound. This will force the draw code to bind the proper program
later on.

This fixes a lot of semi-random crashes. To debug it I used this
particular deqp test which becomes stable with this change:
dEQP-GLES3.functional.draw.draw_elements.triangle_fan.default_attribute

Signed-off-by: Stéphane Marchesin <marcheu at chromium.org>
---
 src/vrend_renderer.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 18df3f2..8356d78 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -2382,8 +2382,11 @@ void vrend_bind_shader(struct vrend_context *ctx,
    if (sel->type != type)
       return;
 
-   if (ctx->sub->shaders[sel->type] != sel)
+   if (ctx->sub->shaders[sel->type] != sel) {
       ctx->sub->shader_dirty = true;
+      ctx->sub->prog_ids[sel->type] = 0;
+   }
+
    vrend_shader_state_reference(&ctx->sub->shaders[sel->type], sel);
 }
 
-- 
2.16.1.291.g4437f3f132-goog