Re: [Mesa-dev] [PATCH 1/2] glsl: fix heap-use-after-free in ast_declarator_list::hir()

2017-02-22 Thread Ian Romanick 
On 02/09/2017 06:23 AM, Samuel Iglesias Gonsálvez wrote:
> The get_variable_being_redeclared() function can free 'var' because
> a re-declaration of an unsized array variable can establish the size, so
> we set the array type to the 'earlier' declaration and free 'var' as it is
> not needed anymore.
> 
> However, the same 'var' is referenced later in ast_declarator_list::hir().
> 
> This patch fixes it by picking the ir_variable_mode from the proper
> ir_variable.
> 
> This error was detected by Address Sanitizer.
> 
> Signed-off-by: Samuel Iglesias Gonsálvez 
> Suggested-by: Ian Romanick 
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99677
> Cc: "17.0" 

Sorry for falling asleep at the wheel.  Series is:

Reviewed-by: Ian Romanick 

I think this patch is also a candidate for 13.0.x... assuming Emil is
doing another one.

> ---
>  src/compiler/glsl/ast_to_hir.cpp | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/src/compiler/glsl/ast_to_hir.cpp 
> b/src/compiler/glsl/ast_to_hir.cpp
> index b31b61d1ed6..3613161472d 100644
> --- a/src/compiler/glsl/ast_to_hir.cpp
> +++ b/src/compiler/glsl/ast_to_hir.cpp
> @@ -5262,11 +5262,13 @@ ast_declarator_list::hir(exec_list *instructions,
>* sized by an earlier input primitive layout qualifier, when
>* present, as per the following table."
>*/
> + const enum ir_variable_mode mode = (const enum ir_variable_mode)
> +(earlier == NULL ? var->data.mode : earlier->data.mode);
>   const bool implicitly_sized =
> -(var->data.mode == ir_var_shader_in &&
> +(mode == ir_var_shader_in &&
>   state->stage >= MESA_SHADER_TESS_CTRL &&
>   state->stage <= MESA_SHADER_GEOMETRY) ||
> -(var->data.mode == ir_var_shader_out &&
> +(mode == ir_var_shader_out &&
>   state->stage == MESA_SHADER_TESS_CTRL);
>  
>   if (t->is_unsized_array() && !implicitly_sized)
> 

___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev

[Mesa-dev] [PATCH 1/2] glsl: fix heap-use-after-free in ast_declarator_list::hir()

2017-02-09 Thread Samuel Iglesias Gonsálvez 
The get_variable_being_redeclared() function can free 'var' because
a re-declaration of an unsized array variable can establish the size, so
we set the array type to the 'earlier' declaration and free 'var' as it is
not needed anymore.

However, the same 'var' is referenced later in ast_declarator_list::hir().

This patch fixes it by picking the ir_variable_mode from the proper
ir_variable.

This error was detected by Address Sanitizer.

Signed-off-by: Samuel Iglesias Gonsálvez 
Suggested-by: Ian Romanick 
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99677
Cc: "17.0" 
---
 src/compiler/glsl/ast_to_hir.cpp | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp
index b31b61d1ed6..3613161472d 100644
--- a/src/compiler/glsl/ast_to_hir.cpp
+++ b/src/compiler/glsl/ast_to_hir.cpp
@@ -5262,11 +5262,13 @@ ast_declarator_list::hir(exec_list *instructions,
   * sized by an earlier input primitive layout qualifier, when
   * present, as per the following table."
   */
+ const enum ir_variable_mode mode = (const enum ir_variable_mode)
+(earlier == NULL ? var->data.mode : earlier->data.mode);
  const bool implicitly_sized =
-(var->data.mode == ir_var_shader_in &&
+(mode == ir_var_shader_in &&
  state->stage >= MESA_SHADER_TESS_CTRL &&
  state->stage <= MESA_SHADER_GEOMETRY) ||
-(var->data.mode == ir_var_shader_out &&
+(mode == ir_var_shader_out &&
  state->stage == MESA_SHADER_TESS_CTRL);
 
  if (t->is_unsized_array() && !implicitly_sized)
-- 
2.11.0

___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev