diff options
author | Brian Paul <[email protected]> | 2014-10-17 13:31:53 -0600 |
---|---|---|
committer | Brian Paul <[email protected]> | 2014-10-20 08:59:32 -0600 |
commit | 14379a0644ed69c5b7a6c6150ae91eba6f316e33 (patch) | |
tree | 8a40d61d34427a581a645b76ee71d4553cda314f /src/mesa/main/format_unpack.h | |
parent | 953a0af8e3f73ce0a42a5dc2bf25355453d7a7b0 (diff) |
glsl: fix several use-after-free bugs
The get_variable_being_redeclared() function can free the 'var' argument.
Thereafter, we cannot assume that 'var' is a valid pointer. This patch
replaces 'var->name' with 'earlier->name' in two places and calls
is_gl_identifier(var->name) before 'var' might get freed.
This fixes several piglit GLSL crashes, including:
spec/glsl-1.50/execution/geometry/clip-distance-in-param
spec/glsl-1.50/execution/geometry/clip-distance-bulk-copy
spec/glsl-1.50/compiler/gs-redeclares-pervertex-out-before-global-redeclaration.geom
I'm not sure why these were not spotted sooner.
A similar bug was previously fixed by f9cecca7a.
Cc: <[email protected]>
Reviewed-by: Chris Forbes <[email protected]>
Diffstat (limited to 'src/mesa/main/format_unpack.h')
0 files changed, 0 insertions, 0 deletions