From c28707b50701b1cf8727be29d61e2d939c6ee58f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Michel=20D=C3=A4nzer?= Date: Thu, 30 Apr 2009 13:21:08 +0200 Subject: [PATCH] r300: Increase reference count of texture objects referenced by current state. Fixes a use-after-free reported in http://bugs.freedesktop.org/show_bug.cgi?id=20539, so this possibly fixes that bug. It has been confirmed to fix http://bugs.freedesktop.org/show_bug.cgi?id=17895 . --- src/mesa/drivers/dri/r300/r300_context.h | 2 +- src/mesa/drivers/dri/r300/r300_state.c | 2 +- src/mesa/drivers/dri/r300/r300_texmem.c | 5 +++-- src/mesa/drivers/dri/r300/r300_texstate.c | 11 ++++++----- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/src/mesa/drivers/dri/r300/r300_context.h b/src/mesa/drivers/dri/r300/r300_context.h index 9c495869984..96a3205f1a3 100644 --- a/src/mesa/drivers/dri/r300/r300_context.h +++ b/src/mesa/drivers/dri/r300/r300_context.h @@ -215,7 +215,7 @@ struct r300_tex_obj { }; struct r300_texture_env_state { - r300TexObjPtr texobj; + struct gl_texture_object *texobj; GLenum format; GLenum envMode; }; diff --git a/src/mesa/drivers/dri/r300/r300_state.c b/src/mesa/drivers/dri/r300/r300_state.c index 6b79aa4313a..79f0b3625ca 100644 --- a/src/mesa/drivers/dri/r300/r300_state.c +++ b/src/mesa/drivers/dri/r300/r300_state.c @@ -1362,7 +1362,7 @@ static void r300SetupTextures(GLcontext * ctx) #endif tmu_mappings[i] = hw_tmu; - t = r300->state.texture.unit[i].texobj; + t = (r300TexObjPtr) r300->state.texture.unit[i].texobj->DriverData; /* XXX questionable fix for bug 9170: */ if (!t) continue; diff --git a/src/mesa/drivers/dri/r300/r300_texmem.c b/src/mesa/drivers/dri/r300/r300_texmem.c index 0fe51b0c680..a89ab83d948 100644 --- a/src/mesa/drivers/dri/r300/r300_texmem.c +++ b/src/mesa/drivers/dri/r300/r300_texmem.c @@ -44,6 +44,7 @@ SOFTWARE. #include "main/colormac.h" #include "main/macros.h" #include "main/simple_list.h" +#include "main/texobj.h" #include "radeon_reg.h" /* gets definition for usleep */ #include "r300_context.h" #include "r300_state.h" @@ -71,8 +72,8 @@ void r300DestroyTexObj(r300ContextPtr rmesa, r300TexObjPtr t) } for (i = 0; i < rmesa->radeon.glCtx->Const.MaxTextureUnits; i++) { - if (rmesa->state.texture.unit[i].texobj == t) { - rmesa->state.texture.unit[i].texobj = NULL; + if (rmesa->state.texture.unit[i].texobj == t->base.tObj) { + _mesa_reference_texobj(&rmesa->state.texture.unit[i].texobj, NULL); } } } diff --git a/src/mesa/drivers/dri/r300/r300_texstate.c b/src/mesa/drivers/dri/r300/r300_texstate.c index cadec7f3ecf..abe613e27bc 100644 --- a/src/mesa/drivers/dri/r300/r300_texstate.c +++ b/src/mesa/drivers/dri/r300/r300_texstate.c @@ -567,19 +567,20 @@ static GLboolean r300UpdateTexture(GLcontext * ctx, int unit) /* Update state if this is a different texture object to last * time. */ - if (rmesa->state.texture.unit[unit].texobj != t) { + if (rmesa->state.texture.unit[unit].texobj != tObj) { if (rmesa->state.texture.unit[unit].texobj != NULL) { + r300TexObjPtr t_old = (r300TexObjPtr) rmesa->state.texture.unit[unit].texobj->DriverData; + /* The old texture is no longer bound to this texture unit. * Mark it as such. */ - rmesa->state.texture.unit[unit].texobj->base.bound &= - ~(1 << unit); + t_old->base.bound &= ~(1 << unit); } - rmesa->state.texture.unit[unit].texobj = t; + _mesa_reference_texobj(&rmesa->state.texture.unit[unit].texobj, tObj); t->base.bound |= (1 << unit); - driUpdateTextureLRU((driTextureObject *) t); /* XXX: should be locked! */ + driUpdateTextureLRU(&t->base); /* XXX: should be locked! */ } return !t->border_fallback; -- 2.30.2