summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorBrian Paul <[email protected]>2014-10-17 13:31:53 -0600
committerBrian Paul <[email protected]>2014-10-20 08:59:32 -0600
commit14379a0644ed69c5b7a6c6150ae91eba6f316e33 (patch)
tree8a40d61d34427a581a645b76ee71d4553cda314f /src
parent953a0af8e3f73ce0a42a5dc2bf25355453d7a7b0 (diff)
glsl: fix several use-after-free bugs
The get_variable_being_redeclared() function can free the 'var' argument. Thereafter, we cannot assume that 'var' is a valid pointer. This patch replaces 'var->name' with 'earlier->name' in two places and calls is_gl_identifier(var->name) before 'var' might get freed. This fixes several piglit GLSL crashes, including: spec/glsl-1.50/execution/geometry/clip-distance-in-param spec/glsl-1.50/execution/geometry/clip-distance-bulk-copy spec/glsl-1.50/compiler/gs-redeclares-pervertex-out-before-global-redeclaration.geom I'm not sure why these were not spotted sooner. A similar bug was previously fixed by f9cecca7a. Cc: <[email protected]> Reviewed-by: Chris Forbes <[email protected]>
Diffstat (limited to 'src')
-rw-r--r--src/glsl/ast_to_hir.cpp10
1 files changed, 7 insertions, 3 deletions
diff --git a/src/glsl/ast_to_hir.cpp b/src/glsl/ast_to_hir.cpp
index afbb3b21bbd..fe1e1291e07 100644
--- a/src/glsl/ast_to_hir.cpp
+++ b/src/glsl/ast_to_hir.cpp
@@ -3767,7 +3767,7 @@ ast_declarator_list::hir(exec_list *instructions,
earlier->data.how_declared == ir_var_declared_in_block) {
_mesa_glsl_error(&loc, state,
"`%s' has already been redeclared using "
- "gl_PerVertex", var->name);
+ "gl_PerVertex", earlier->name);
}
earlier->data.how_declared = ir_var_declared_normally;
}
@@ -5706,17 +5706,21 @@ ast_interface_block::hir(exec_list *instructions,
var->data.stream = this->layout.stream;
+ /* Examine var name here since var may get deleted in the next call */
+ bool var_is_gl_id = is_gl_identifier(var->name);
+
if (redeclaring_per_vertex) {
ir_variable *earlier =
get_variable_being_redeclared(var, loc, state,
true /* allow_all_redeclarations */);
- if (!is_gl_identifier(var->name) || earlier == NULL) {
+ if (!var_is_gl_id || earlier == NULL) {
_mesa_glsl_error(&loc, state,
"redeclaration of gl_PerVertex can only "
"include built-in variables");
} else if (earlier->data.how_declared == ir_var_declared_normally) {
_mesa_glsl_error(&loc, state,
- "`%s' has already been redeclared", var->name);
+ "`%s' has already been redeclared",
+ earlier->name);
} else {
earlier->data.how_declared = ir_var_declared_in_block;
earlier->reinit_interface_type(block_type);