From: Jan Vesely Date: Mon, 23 Jun 2014 14:39:00 +0000 (-0400) Subject: r600: Fix use after free in compute_memory_promote_item. X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=0c181cdc6c0efdd98927b010239e0376399cecbf;p=mesa.git r600: Fix use after free in compute_memory_promote_item. The dst pointer needs to be initialized after any calls to compute_memory_grow_pool, as the function might change the pool->vbo pointer. This fixes crashes and assertion failures in two gegl tests. Reviewed-by: Bruno Jiménez Signed-off-by: Jan Vesely --- diff --git a/src/gallium/drivers/r600/compute_memory_pool.c b/src/gallium/drivers/r600/compute_memory_pool.c index 518ea654e40..691c9383f15 100644 --- a/src/gallium/drivers/r600/compute_memory_pool.c +++ b/src/gallium/drivers/r600/compute_memory_pool.c @@ -308,8 +308,8 @@ int compute_memory_promote_item(struct compute_memory_pool *pool, { struct pipe_screen *screen = (struct pipe_screen *)pool->screen; struct r600_context *rctx = (struct r600_context *)pipe; - struct pipe_resource *dst = (struct pipe_resource *)pool->bo; struct pipe_resource *src = (struct pipe_resource *)item->real_buffer; + struct pipe_resource *dst = NULL; struct pipe_box box; struct list_head *pos; @@ -336,6 +336,7 @@ int compute_memory_promote_item(struct compute_memory_pool *pool, if (err == -1) return -1; } + dst = (struct pipe_resource *)pool->bo; COMPUTE_DBG(pool->screen, " + Found space for Item %p id = %u " "start_in_dw = %u (%u bytes) size_in_dw = %u (%u bytes)\n", item, item->id, start_in_dw, start_in_dw * 4,