diff options
| author | Kenneth Graunke <[email protected]> | 2016-12-30 15:35:02 -0800 |
|---|---|---|
| committer | Kenneth Graunke <[email protected]> | 2016-12-30 15:46:22 -0800 |
| commit | 62a819184141133478cfdcfa76b62d5bb7e14fd5 (patch) | |
| tree | ba131adc9d9ffc275d1c03419bbdc2b85082cda4 /src/mesa/drivers/dri/i965 | |
| parent | 68245aa6f5f832ba3066fb65050ff79ad3e5531c (diff) | |
i965: Avoid NULL pointer dereference when transform feedback is off.
upload_3dstate_streamout can be called when there's no currently bound
transform feedback object. In this case, we get the default object,
which has a NULL shader (previously gl_shader_program, now gl_program).
The old code did something sketchy, but which worked:
const struct gl_transform_feedback_info *linked_xfb_info =
&xfb_obj->shader_program->LinkedTransformFeedback;
Here, if shader_program is NULL, this would be a bogus pointer of 0x60.
But we never actually dereferenced it, so it worked out.
With Timothy's recent reworks, we actually end up dereferencing
xfb_obj->program along the way, which crashes since it's NULL.
The solution is to move this pointer initialization into the "active"
block, where we know it actually exists and won't be bogus.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99231
Signed-off-by: Kenneth Graunke <[email protected]>
Reviewed-by: Jason Ekstrand <[email protected]>
Reviewed-by: Timothy Arceri <[email protected]>
Diffstat (limited to 'src/mesa/drivers/dri/i965')
| -rw-r--r-- | src/mesa/drivers/dri/i965/gen7_sol_state.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/mesa/drivers/dri/i965/gen7_sol_state.c b/src/mesa/drivers/dri/i965/gen7_sol_state.c index c9f9f1f731d..e6b79ed2342 100644 --- a/src/mesa/drivers/dri/i965/gen7_sol_state.c +++ b/src/mesa/drivers/dri/i965/gen7_sol_state.c @@ -228,12 +228,12 @@ upload_3dstate_streamout(struct brw_context *brw, bool active, /* BRW_NEW_TRANSFORM_FEEDBACK */ struct gl_transform_feedback_object *xfb_obj = ctx->TransformFeedback.CurrentObject; - const struct gl_transform_feedback_info *linked_xfb_info = - xfb_obj->program->sh.LinkedTransformFeedback; uint32_t dw1 = 0, dw2 = 0, dw3 = 0, dw4 = 0; int i; if (active) { + const struct gl_transform_feedback_info *linked_xfb_info = + xfb_obj->program->sh.LinkedTransformFeedback; int urb_entry_read_offset = 0; int urb_entry_read_length = (vue_map->num_slots + 1) / 2 - urb_entry_read_offset; |