st/mesa: fix context use-after-free problem in st_renderbuffer_delete()
authorBrian Paul <brianp@vmware.com>
Fri, 30 Nov 2012 17:11:54 +0000 (10:11 -0700)
committerBrian Paul <brianp@vmware.com>
Fri, 30 Nov 2012 19:08:07 +0000 (12:08 -0700)
The use-after-free happened when the renderbuffer was shared by multiple
contexts and we tried to delete the renderbuffer using a context which
was previously deleted.

Note: this is a candidate for the stable branches.

Reviewed-by: Jose Fonseca <jfonseca@vmware.com>
src/mesa/state_tracker/st_cb_fbo.c

index 05a1dc67c18f8dcffb112f39b8b96d8fa332994b..04907c9f7deca77ff1db82c278fe3013c075536d 100644 (file)
@@ -228,8 +228,10 @@ static void
 st_renderbuffer_delete(struct gl_context *ctx, struct gl_renderbuffer *rb)
 {
    struct st_renderbuffer *strb = st_renderbuffer(rb);
-   ASSERT(strb);
-   pipe_surface_reference(&strb->surface, NULL);
+   struct st_context *st = st_context(ctx);
+   struct pipe_context *pipe = st->pipe;
+
+   pipe_surface_release(pipe, &strb->surface);
    pipe_resource_reference(&strb->texture, NULL);
    free(strb->data);
    _mesa_delete_renderbuffer(ctx, rb);
@@ -434,7 +436,7 @@ st_render_texture(struct gl_context *ctx,
 
    pipe_resource_reference( &strb->texture, pt );
 
-   pipe_surface_reference(&strb->surface, NULL);
+   pipe_surface_release(pipe, &strb->surface);
 
    assert(strb->rtt_level <= strb->texture->last_level);