mesa: validate that sync objects were created by mesa

Previously, the user could send in a pointer that was not created by mesa. When we dereferenced that pointer, there would be an exception. Now we keep a set of pointers and verify that the pointer exists in that set before dereferencing it. Note: This fixes several crashing gles3conform tests. Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Brian Paul <brianp@vmware.com>
2026-01-02 16:00:09 +01:00 · 2012-12-04 01:24:07 -08:00 · 2012-12-04 01:24:07 -08:00 · 56e95d3ca2
commit 56e95d3ca2
parent e12d9f0c6d
3 changed files with 26 additions and 15 deletions
--- a/src/mesa/main/mtypes.h
+++ b/src/mesa/main/mtypes.h
@ -79,6 +79,8 @@ struct st_context;
 struct gl_uniform_storage;
 struct prog_instruction;
 struct gl_program_parameter_list;
+struct set;
+struct set_entry;
 /*@}*/


@ -2509,7 +2511,7 @@ struct gl_query_state
 /** Sync object state */
 struct gl_sync_object
 {
-   struct simple_node link;
+   struct set_entry *SetEntry;
   GLenum Type;               /**< GL_SYNC_FENCE */
   GLuint Name;               /**< Fence name */
   GLint RefCount;            /**< Reference count */
@ -2576,7 +2578,7 @@ struct gl_shared_state
   struct _mesa_HashTable *FrameBuffers;

   /* GL_ARB_sync */
-   struct simple_node SyncObjects;
+   struct set *SyncObjects;

   /** GL_ARB_sampler_objects */
   struct _mesa_HashTable *SamplerObjects;
--- a/src/mesa/main/shared.c
+++ b/src/mesa/main/shared.c
@ -31,12 +31,14 @@
 #include "mfeatures.h"
 #include "mtypes.h"
 #include "hash.h"
+#include "hash_table.h"
 #include "atifragshader.h"
 #include "bufferobj.h"
 #include "shared.h"
 #include "program/program.h"
 #include "dlist.h"
 #include "samplerobj.h"
+#include "set.h"
 #include "shaderobj.h"
 #include "syncobj.h"

@ -115,7 +117,7 @@ _mesa_alloc_shared_state(struct gl_context *ctx)
   shared->FrameBuffers = _mesa_NewHashTable();
   shared->RenderBuffers = _mesa_NewHashTable();

-   make_empty_list(& shared->SyncObjects);
+   shared->SyncObjects = _mesa_set_create(NULL, _mesa_key_pointer_equal);

   return shared;
 }
@ -327,13 +329,13 @@ free_shared_state(struct gl_context *ctx, struct gl_shared_state *shared)
   _mesa_reference_buffer_object(ctx, &shared->NullBufferObj, NULL);

   {
-      struct simple_node *node;
-      struct simple_node *temp;
+      struct set_entry *entry;

-      foreach_s(node, temp, & shared->SyncObjects) {
-	 _mesa_unref_sync_object(ctx, (struct gl_sync_object *) node);
+      set_foreach(shared->SyncObjects, entry) {
+         _mesa_unref_sync_object(ctx, (struct gl_sync_object *) entry->key);
      }
   }
+   _mesa_set_destroy(shared->SyncObjects, NULL);

   _mesa_HashDeleteAll(shared->SamplerObjects, delete_sampler_object_cb, ctx);
   _mesa_DeleteHashTable(shared->SamplerObjects);
--- a/src/mesa/main/syncobj.c
+++ b/src/mesa/main/syncobj.c
@ -64,6 +64,8 @@
 #include "get.h"
 #include "dispatch.h"
 #include "mtypes.h"
+#include "set.h"
+#include "hash_table.h"

 #include "syncobj.h"

@ -174,9 +176,12 @@ _mesa_free_sync_data(struct gl_context *ctx)


 static int
-_mesa_validate_sync(struct gl_sync_object *syncObj)
+_mesa_validate_sync(struct gl_context *ctx, struct gl_sync_object *syncObj)
 {
   return (syncObj != NULL)
+      && _mesa_set_search(ctx->Shared->SyncObjects,
+                          _mesa_hash_pointer(syncObj),
+                          syncObj) != NULL
      && (syncObj->Type == GL_SYNC_FENCE)
      && !syncObj->DeletePending;
 }
@ -197,7 +202,7 @@ _mesa_unref_sync_object(struct gl_context *ctx, struct gl_sync_object *syncObj)
   _glthread_LOCK_MUTEX(ctx->Shared->Mutex);
   syncObj->RefCount--;
   if (syncObj->RefCount == 0) {
-      remove_from_list(& syncObj->link);
+      _mesa_set_remove(ctx->Shared->SyncObjects, syncObj->SetEntry);
      _glthread_UNLOCK_MUTEX(ctx->Shared->Mutex);

      ctx->Driver.DeleteSyncObject(ctx, syncObj);
@ -214,7 +219,7 @@ _mesa_IsSync(GLsync sync)
   struct gl_sync_object *const syncObj = (struct gl_sync_object *) sync;
   ASSERT_OUTSIDE_BEGIN_END_WITH_RETVAL(ctx, GL_FALSE);

-   return _mesa_validate_sync(syncObj) ? GL_TRUE : GL_FALSE;
+   return _mesa_validate_sync(ctx, syncObj) ? GL_TRUE : GL_FALSE;
 }


@ -235,7 +240,7 @@ _mesa_DeleteSync(GLsync sync)
      return;
   }

-   if (!_mesa_validate_sync(syncObj)) {
+   if (!_mesa_validate_sync(ctx, syncObj)) {
      _mesa_error(ctx, GL_INVALID_VALUE, "glDeleteSync (not a valid sync object)");
      return;
   }
@ -285,7 +290,9 @@ _mesa_FenceSync(GLenum condition, GLbitfield flags)
      ctx->Driver.FenceSync(ctx, syncObj, condition, flags);

      _glthread_LOCK_MUTEX(ctx->Shared->Mutex);
-      insert_at_tail(& ctx->Shared->SyncObjects, & syncObj->link);
+      syncObj->SetEntry = _mesa_set_add(ctx->Shared->SyncObjects,
+                                        _mesa_hash_pointer(syncObj),
+                                        syncObj);
      _glthread_UNLOCK_MUTEX(ctx->Shared->Mutex);

      return (GLsync) syncObj;
@ -303,7 +310,7 @@ _mesa_ClientWaitSync(GLsync sync, GLbitfield flags, GLuint64 timeout)
   GLenum ret;
   ASSERT_OUTSIDE_BEGIN_END_WITH_RETVAL(ctx, GL_WAIT_FAILED);

-   if (!_mesa_validate_sync(syncObj)) {
+   if (!_mesa_validate_sync(ctx, syncObj)) {
      _mesa_error(ctx, GL_INVALID_VALUE, "glClientWaitSync (not a valid sync object)");
      return GL_WAIT_FAILED;
   }
@ -347,7 +354,7 @@ _mesa_WaitSync(GLsync sync, GLbitfield flags, GLuint64 timeout)
   struct gl_sync_object *const syncObj = (struct gl_sync_object *) sync;
   ASSERT_OUTSIDE_BEGIN_END(ctx);

-   if (!_mesa_validate_sync(syncObj)) {
+   if (!_mesa_validate_sync(ctx, syncObj)) {
      _mesa_error(ctx, GL_INVALID_VALUE, "glWaitSync (not a valid sync object)");
      return;
   }
@ -377,7 +384,7 @@ _mesa_GetSynciv(GLsync sync, GLenum pname, GLsizei bufSize, GLsizei *length,
   GLint v[1];
   ASSERT_OUTSIDE_BEGIN_END(ctx);

-   if (!_mesa_validate_sync(syncObj)) {
+   if (!_mesa_validate_sync(ctx, syncObj)) {
      _mesa_error(ctx, GL_INVALID_VALUE, "glGetSynciv (not a valid sync object)");
      return;
   }