Module: Mesa Branch: master Commit: 0c181cdc6c0efdd98927b010239e0376399cecbf URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=0c181cdc6c0efdd98927b010239e0376399cecbf
Author: Jan Vesely <[email protected]> Date: Mon Jun 23 10:39:00 2014 -0400 r600: Fix use after free in compute_memory_promote_item. The dst pointer needs to be initialized after any calls to compute_memory_grow_pool, as the function might change the pool->vbo pointer. This fixes crashes and assertion failures in two gegl tests. Reviewed-by: Bruno Jiménez <[email protected]> Signed-off-by: Jan Vesely <[email protected]> --- src/gallium/drivers/r600/compute_memory_pool.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/gallium/drivers/r600/compute_memory_pool.c b/src/gallium/drivers/r600/compute_memory_pool.c index 518ea65..691c938 100644 --- a/src/gallium/drivers/r600/compute_memory_pool.c +++ b/src/gallium/drivers/r600/compute_memory_pool.c @@ -308,8 +308,8 @@ int compute_memory_promote_item(struct compute_memory_pool *pool, { struct pipe_screen *screen = (struct pipe_screen *)pool->screen; struct r600_context *rctx = (struct r600_context *)pipe; - struct pipe_resource *dst = (struct pipe_resource *)pool->bo; struct pipe_resource *src = (struct pipe_resource *)item->real_buffer; + struct pipe_resource *dst = NULL; struct pipe_box box; struct list_head *pos; @@ -336,6 +336,7 @@ int compute_memory_promote_item(struct compute_memory_pool *pool, if (err == -1) return -1; } + dst = (struct pipe_resource *)pool->bo; COMPUTE_DBG(pool->screen, " + Found space for Item %p id = %u " "start_in_dw = %u (%u bytes) size_in_dw = %u (%u bytes)\n", item, item->id, start_in_dw, start_in_dw * 4, _______________________________________________ mesa-commit mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/mesa-commit
