summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnuj Phogat <[email protected]>2012-01-03 18:12:06 -0800
committerAnuj Phogat <[email protected]>2012-01-03 19:04:03 -0800
commit0ed11e333147e280208d9d0b3ff3f39970547643 (patch)
treeeb47c82b7dc3056e9519916a6aded866e1101bd7
parent2f1ab63fab592264c13e7dbab39a5cea1a622903 (diff)
Fix read from pointer after free
Coverity reported a read from pointer after free defect in src/mesa/drivers/dri/intel/intel_mipmap_tree.c. Bug# 44205 In intel_miptree_all_slices_resolve() function, i = i->next was executing after freeing i. I have defined a temporary variable (next) to store the value of i->next before freeing i Reported-by: Vinson Lee <[email protected]> Signed-off-by: Anuj Phogat <[email protected]> Reviewed-by: Eric Anholt <[email protected]>
-rw-r--r--src/mesa/drivers/dri/intel/intel_mipmap_tree.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
index 60cc694ee0c..7787c1a87af 100644
--- a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
+++ b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
@@ -640,12 +640,13 @@ intel_miptree_all_slices_resolve(struct intel_context *intel,
resolve_func_t func)
{
bool did_resolve = false;
- struct intel_resolve_map *i;
+ struct intel_resolve_map *i, *next;
- for (i = mt->hiz_map.next; i; i = i->next) {
+ for (i = mt->hiz_map.next; i; i = next) {
if (i->need != need)
continue;
func(intel, mt, i->level, i->layer);
+ next = i->next;
intel_resolve_map_remove(i);
did_resolve = true;
}