fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2026-05-08 02:38:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

llvmpipe: fix use after free with fs variant cleanup

Browse source 
item->base will be freed for the NULL reference write
so just use a temporary to avoid it.

This was found with asan and lavapipe:
dEQP-VK.api.copy_and_blit.core.blit_image*

Reviewed-by: Adam Jackson <ajax@redhat.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8912>
This commit is contained in:
Dave Airlie 2021-02-08 16:52:57 +10:00
parent 2937f69cc0
commit c10b785490
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/gallium/drivers/llvmpipe/lp_state_fs.c
View file

@ -4235,7 +4235,8 @@ llvmpipe_update_fs(struct llvmpipe_context *lp)
assert(item);
assert(item->base);
llvmpipe_remove_shader_variant(lp, item->base);
lp_fs_variant_reference(lp, &item->base, NULL);
struct lp_fragment_shader_variant *variant = item->base;
lp_fs_variant_reference(lp, &variant, NULL);
}
}