summaryrefslogtreecommitdiffstats
path: root/src/mesa
diff options
context:
space:
mode:
authorNicolai Hähnle <[email protected]>2017-09-21 16:55:35 +0200
committerNicolai Hähnle <[email protected]>2017-09-29 11:42:38 +0200
commit2703fa613b674184ad94b077ae68ad04160ba9d5 (patch)
treeb08b169ba8dd38ebda5bab1f5ea35e08d376dca7 /src/mesa
parent4ed419328d62b428207dbcc53cdf45b0d29f5962 (diff)
st/glsl_to_tgsi: fix a use-after-free in merge_two_dsts
Found by address sanitizer. The loop here tries to be safe, but in doing so, it ends up doing exactly the wrong thing: the safe foreach is for when the loop variable (inst) could be deleted and nothing else. However, this particular can delete inst's successor, but not inst itself. Fixes: 8c6a0ebaad72 ("st/mesa: add st fp64 support (v7.1)") Reviewed-by: Marek Olšák <[email protected]> Tested-by: Dieter Nützel <[email protected]>
Diffstat (limited to 'src/mesa')
-rw-r--r--src/mesa/state_tracker/st_glsl_to_tgsi.cpp3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/mesa/state_tracker/st_glsl_to_tgsi.cpp b/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
index 609920a7a87..f4870a1c606 100644
--- a/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
+++ b/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
@@ -5148,7 +5148,8 @@ glsl_to_tgsi_visitor::eliminate_dead_code(void)
void
glsl_to_tgsi_visitor::merge_two_dsts(void)
{
- foreach_in_list_safe(glsl_to_tgsi_instruction, inst, &this->instructions) {
+ /* We never delete inst, but we may delete its successor. */
+ foreach_in_list(glsl_to_tgsi_instruction, inst, &this->instructions) {
glsl_to_tgsi_instruction *inst2;
bool merged;
if (num_inst_dst_regs(inst) != 2)