From 0d73ac6b02cac46d4a8f3cd1ffa591e071577fa7 Mon Sep 17 00:00:00 2001 From: Brian Paul Date: Fri, 12 Sep 2014 06:29:04 -0600 Subject: [PATCH] mesa: fix _mesa_free_pipeline_data() use-after-free bug Unreference the ctx->_Shader object before we delete all the pipeline objects in the hash table. Before, ctx->_Shader could point to freed memory when _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL) was called. Fixes crash when exiting the piglit rendezvous_by_location test on Windows. Cc: mesa-stable@lists.freedesktop.org Reviewed-by: Ian Romanick --- src/mesa/main/pipelineobj.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mesa/main/pipelineobj.c b/src/mesa/main/pipelineobj.c index 017d4257eb8..b713d956f78 100644 --- a/src/mesa/main/pipelineobj.c +++ b/src/mesa/main/pipelineobj.c @@ -120,12 +120,12 @@ delete_pipelineobj_cb(GLuint id, void *data, void *userData) void _mesa_free_pipeline_data(struct gl_context *ctx) { + _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL); + _mesa_HashDeleteAll(ctx->Pipeline.Objects, delete_pipelineobj_cb, ctx); _mesa_DeleteHashTable(ctx->Pipeline.Objects); - _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL); _mesa_delete_pipeline_object(ctx, ctx->Pipeline.Default); - } /** -- 2.30.2