From f7e3209fb7c8d4e44f5d27e17cd8707e55356483 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuel=20Iglesias=20Gons=C3=A1lvez?= Date: Thu, 9 Feb 2017 13:54:46 +0100 Subject: [PATCH] glsl: fix heap-use-after-free in ast_declarator_list::hir() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The get_variable_being_redeclared() function can free 'var' because a re-declaration of an unsized array variable can establish the size, so we set the array type to the 'earlier' declaration and free 'var' as it is not needed anymore. However, the same 'var' is referenced later in ast_declarator_list::hir(). This patch fixes it by picking the ir_variable_mode from the proper ir_variable. This error was detected by Address Sanitizer. Signed-off-by: Samuel Iglesias Gonsálvez Suggested-by: Ian Romanick Reviewed-by: Ian Romanick Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99677 Cc: "17.0" Cc: "13.0" (cherry picked from commit a73a61893323c74f38b1baa30d63a5cc665b7b58) --- src/compiler/glsl/ast_to_hir.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp index b2000160401..550d4d545ef 100644 --- a/src/compiler/glsl/ast_to_hir.cpp +++ b/src/compiler/glsl/ast_to_hir.cpp @@ -5159,11 +5159,13 @@ ast_declarator_list::hir(exec_list *instructions, * sized by an earlier input primitive layout qualifier, when * present, as per the following table." */ + const enum ir_variable_mode mode = (const enum ir_variable_mode) + (earlier == NULL ? var->data.mode : earlier->data.mode); const bool implicitly_sized = - (var->data.mode == ir_var_shader_in && + (mode == ir_var_shader_in && state->stage >= MESA_SHADER_TESS_CTRL && state->stage <= MESA_SHADER_GEOMETRY) || - (var->data.mode == ir_var_shader_out && + (mode == ir_var_shader_out && state->stage == MESA_SHADER_TESS_CTRL); if (t->is_unsized_array() && !implicitly_sized)