st/glsl_to_tgsi: fix a use-after-free in merge_two_dsts

Found by address sanitizer. The loop here tries to be safe, but in doing so, it ends up doing exactly the wrong thing: the safe foreach is for when the loop variable (inst) could be deleted and nothing else. However, this particular can delete inst's successor, but not inst itself. Fixes: 8c6a0ebaad ("st/mesa: add st fp64 support (v7.1)") Reviewed-by: Marek Olšák <marek.olsak@amd.com> Tested-by: Dieter Nützel <Dieter@nuetzel-hh.de> (cherry picked from commit 2703fa613b)
2026-05-04 01:08:03 +02:00 · 2017-09-21 16:55:35 +02:00 · 2017-09-21 16:55:35 +02:00 · f805a61e04
commit f805a61e04
parent 6957dfb0d8
1 changed files with 2 additions and 1 deletions
--- a/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
+++ b/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
@ -5429,7 +5429,8 @@ glsl_to_tgsi_visitor::eliminate_dead_code(void)
 void
 glsl_to_tgsi_visitor::merge_two_dsts(void)
 {
-   foreach_in_list_safe(glsl_to_tgsi_instruction, inst, &this->instructions) {
+   /* We never delete inst, but we may delete its successor. */
+   foreach_in_list(glsl_to_tgsi_instruction, inst, &this->instructions) {
      glsl_to_tgsi_instruction *inst2;
      bool merged;
      if (num_inst_dst_regs(inst) != 2)