summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSamuel Iglesias Gonsálvez <[email protected]>2017-02-09 13:54:46 +0100
committerEmil Velikov <[email protected]>2017-03-01 13:34:42 +0000
commitc20881661f8195c79503ee36022368798db24de1 (patch)
tree19f9ff0c212305579ce096420df49a72584ae37e
parent6d2c4e940e5f6d80c94cc0ee9d26fee50202a4e0 (diff)
glsl: fix heap-use-after-free in ast_declarator_list::hir()
The get_variable_being_redeclared() function can free 'var' because a re-declaration of an unsized array variable can establish the size, so we set the array type to the 'earlier' declaration and free 'var' as it is not needed anymore. However, the same 'var' is referenced later in ast_declarator_list::hir(). This patch fixes it by picking the ir_variable_mode from the proper ir_variable. This error was detected by Address Sanitizer. Signed-off-by: Samuel Iglesias Gonsálvez <[email protected]> Suggested-by: Ian Romanick <[email protected]> Reviewed-by: Ian Romanick <[email protected]> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99677 Cc: "17.0" <[email protected]> Cc: "13.0" <[email protected]> (cherry picked from commit a73a61893323c74f38b1baa30d63a5cc665b7b58)
-rw-r--r--src/compiler/glsl/ast_to_hir.cpp6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp
index 5aade30b398..c7ac42cc6cd 100644
--- a/src/compiler/glsl/ast_to_hir.cpp
+++ b/src/compiler/glsl/ast_to_hir.cpp
@@ -5220,11 +5220,13 @@ ast_declarator_list::hir(exec_list *instructions,
* sized by an earlier input primitive layout qualifier, when
* present, as per the following table."
*/
+ const enum ir_variable_mode mode = (const enum ir_variable_mode)
+ (earlier == NULL ? var->data.mode : earlier->data.mode);
const bool implicitly_sized =
- (var->data.mode == ir_var_shader_in &&
+ (mode == ir_var_shader_in &&
state->stage >= MESA_SHADER_TESS_CTRL &&
state->stage <= MESA_SHADER_GEOMETRY) ||
- (var->data.mode == ir_var_shader_out &&
+ (mode == ir_var_shader_out &&
state->stage == MESA_SHADER_TESS_CTRL);
if (t->is_unsized_array() && !implicitly_sized)