From: Brian Paul <brianp@vmware.com>
Date: Fri, 12 Sep 2014 12:29:04 +0000 (-0600)
Subject: mesa: fix _mesa_free_pipeline_data() use-after-free bug
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=0d73ac6b02cac46d4a8f3cd1ffa591e071577fa7;p=mesa.git

mesa: fix _mesa_free_pipeline_data() use-after-free bug

Unreference the ctx->_Shader object before we delete all the pipeline
objects in the hash table.  Before, ctx->_Shader could point to freed
memory when _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL)
was called.

Fixes crash when exiting the piglit rendezvous_by_location test on
Windows.

Cc: mesa-stable@lists.freedesktop.org
Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>
---

diff --git a/src/mesa/main/pipelineobj.c b/src/mesa/main/pipelineobj.c
index 017d4257eb8..b713d956f78 100644
--- a/src/mesa/main/pipelineobj.c
+++ b/src/mesa/main/pipelineobj.c
@@ -120,12 +120,12 @@ delete_pipelineobj_cb(GLuint id, void *data, void *userData)
 void
 _mesa_free_pipeline_data(struct gl_context *ctx)
 {
+   _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
+
    _mesa_HashDeleteAll(ctx->Pipeline.Objects, delete_pipelineobj_cb, ctx);
    _mesa_DeleteHashTable(ctx->Pipeline.Objects);
 
-   _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
    _mesa_delete_pipeline_object(ctx, ctx->Pipeline.Default);
-
 }
 
 /**