From 0c181cdc6c0efdd98927b010239e0376399cecbf Mon Sep 17 00:00:00 2001 From: Jan Vesely Date: Mon, 23 Jun 2014 10:39:00 -0400 Subject: [PATCH] r600: Fix use after free in compute_memory_promote_item. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The dst pointer needs to be initialized after any calls to compute_memory_grow_pool, as the function might change the pool->vbo pointer. This fixes crashes and assertion failures in two gegl tests. Reviewed-by: Bruno Jiménez Signed-off-by: Jan Vesely --- src/gallium/drivers/r600/compute_memory_pool.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/gallium/drivers/r600/compute_memory_pool.c b/src/gallium/drivers/r600/compute_memory_pool.c index 518ea654e40..691c9383f15 100644 --- a/src/gallium/drivers/r600/compute_memory_pool.c +++ b/src/gallium/drivers/r600/compute_memory_pool.c @@ -308,8 +308,8 @@ int compute_memory_promote_item(struct compute_memory_pool *pool, { struct pipe_screen *screen = (struct pipe_screen *)pool->screen; struct r600_context *rctx = (struct r600_context *)pipe; - struct pipe_resource *dst = (struct pipe_resource *)pool->bo; struct pipe_resource *src = (struct pipe_resource *)item->real_buffer; + struct pipe_resource *dst = NULL; struct pipe_box box; struct list_head *pos; @@ -336,6 +336,7 @@ int compute_memory_promote_item(struct compute_memory_pool *pool, if (err == -1) return -1; } + dst = (struct pipe_resource *)pool->bo; COMPUTE_DBG(pool->screen, " + Found space for Item %p id = %u " "start_in_dw = %u (%u bytes) size_in_dw = %u (%u bytes)\n", item, item->id, start_in_dw, start_in_dw * 4, -- 2.30.2