[virglrenderer-devel] [PATCH] vrend: Fix use-after-free in bound programs
Robert Foss
robert.foss at collabora.com
Thu Feb 22 09:35:05 UTC 2018
Hey Stephane,
I've run this patch through the deqp cts-runner, and have seen no regressions.
Tested-by: Robert Foss <robert.foss at collabora.com>
Rob.
On 02/22/2018 06:47 AM, Stéphane Marchesin wrote:
> If we bind a GL program with a given id, then destroy the program and
> its id, then immediately create another program which ends up with
> the same id, we won't be able to tell that a new program needs to be
> bound, and we will access freed data. This results in funny crashes.
>
> We fix this by setting the program to 0 when a different shader is
> being bound. This will force the draw code to bind the proper program
> later on.
>
> This fixes a lot of semi-random crashes. To debug it I used this
> particular deqp test which becomes stable with this change:
> dEQP-GLES3.functional.draw.draw_elements.triangle_fan.default_attribute
>
> Signed-off-by: Stéphane Marchesin <marcheu at chromium.org>
> ---
> src/vrend_renderer.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
> index 18df3f2..8356d78 100644
> --- a/src/vrend_renderer.c
> +++ b/src/vrend_renderer.c
> @@ -2382,8 +2382,11 @@ void vrend_bind_shader(struct vrend_context *ctx,
> if (sel->type != type)
> return;
>
> - if (ctx->sub->shaders[sel->type] != sel)
> + if (ctx->sub->shaders[sel->type] != sel) {
> ctx->sub->shader_dirty = true;
> + ctx->sub->prog_ids[sel->type] = 0;
> + }
> +
> vrend_shader_state_reference(&ctx->sub->shaders[sel->type], sel);
> }
>
>
More information about the virglrenderer-devel
mailing list