Module: Mesa Branch: main Commit: fe4271c42d14a16935071476a685388a5ce13f7d URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=fe4271c42d14a16935071476a685388a5ce13f7d
Author: Patrick Lerda <[email protected]> Date: Fri Feb 17 03:01:37 2023 +0100 vbo/save: fix possible crash related to fixup_vertex() Indeed, buffer_in_ram could be reallocated by fixup_vertex() which triggers this issue. For instance, with "piglit/gl-1.0-dlist-materials -auto -fbo": ==28392==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000010024 at pc 0x7f3f416fcf18 bp 0x7f3f33d12800 sp 0x7f3f33d127f8 WRITE of size 4 at 0x607000010024 thread T6 #0 0x7f3f416fcf17 in _save_Materialfv ../src/mesa/vbo/vbo_save_api.c:1405 #1 0x7f3f418199de in _mesa_unmarshal_Materialfv src/mapi/glapi/gen/marshal_generated0.c:5006 #2 0x7f3f413c6863 in glthread_unmarshal_batch ../src/mesa/main/glthread.c:65 #3 0x7f3f4124d368 in util_queue_thread_func ../src/util/u_queue.c:309 #4 0x7f3f41391eba in impl_thrd_routine ../src/c11/impl/threads_posix.c:67 #5 0x7f3f4c619c6b in start_thread glibc-2.35/nptl/pthread_create.c:442 #6 0x7f3f4c69e1fb in __clone3 (/lib64/libc.so.6+0x10c1fb) 0x607000010024 is located 20 bytes inside of 80-byte region [0x607000010010,0x607000010060) freed by thread T6 here: #0 0x7f3f4f093b48 in __interceptor_realloc (/usr/lib64/libasan.so.6+0xb1b48) #1 0x7f3f416e5b0c in grow_vertex_storage ../src/mesa/vbo/vbo_save_api.c:417 #2 0x7f3f416e69bc in fixup_vertex ../src/mesa/vbo/vbo_save_api.c:1266 #3 0x7f3f416fb13e in _save_Materialfv ../src/mesa/vbo/vbo_save_api.c:1405 #4 0x7f3f418199de in _mesa_unmarshal_Materialfv src/mapi/glapi/gen/marshal_generated0.c:5006 #5 0x7f3f413c6863 in glthread_unmarshal_batch ../src/mesa/main/glthread.c:65 #6 0x7f3f4124d368 in util_queue_thread_func ../src/util/u_queue.c:309 #7 0x7f3f41391eba in impl_thrd_routine ../src/c11/impl/threads_posix.c:67 #8 0x7f3f4c619c6b in start_thread glibc-2.35/nptl/pthread_create.c:442 Signed-off-by: Patrick Lerda <[email protected]> Reviewed-by: Marek Olšák <[email protected]> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21419> --- src/mesa/vbo/vbo_save_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mesa/vbo/vbo_save_api.c b/src/mesa/vbo/vbo_save_api.c index 49fa879cd4b..9d8cf44eaa2 100644 --- a/src/mesa/vbo/vbo_save_api.c +++ b/src/mesa/vbo/vbo_save_api.c @@ -1321,10 +1321,10 @@ do { \ \ if (save->active_sz[A] != N) { \ bool had_dangling_ref = save->dangling_attr_ref; \ - fi_type *dest = save->vertex_store->buffer_in_ram; \ if (fixup_vertex(ctx, A, N * sz, T) && \ !had_dangling_ref && save->dangling_attr_ref && \ A != VBO_ATTRIB_POS) { \ + fi_type *dest = save->vertex_store->buffer_in_ram; \ /* Copy the new attr values to the already copied \ * vertices. \ */ \
