cso: Don't restore nr_samplers in cso_restore_fragment_samplers

If info->nr_samplers > ctx->nr_fragment_samplers_saved, the assignment
would prevent cso_single_sampler_done from unbinding the no longer used
samplers from the driver, which could result in use-after-free. This is
probably unlikely to happen in practice though.

Cc: "12.0 13.0" <mesa-stable@lists.freedesktop.org>
Reviewed-by: Nicolai Hähnle <nicolai.haehnle@amd.com>

diff --git a/src/gallium/auxiliary/cso_cache/cso_context.c b/src/gallium/auxiliary/cso_cache/cso_context.c
index 127e0711c20516a6fcdd5d5ff8d6c86f6395edd2..2ee87f91848e9ed8efbe582dbe59cfea9f96c638 100644 (file)
--- a/src/gallium/auxiliary/cso_cache/cso_context.c
+++ b/src/gallium/auxiliary/cso_cache/cso_context.c
@@ -1275,7 +1275,6 @@ cso_restore_fragment_samplers(struct cso_context *ctx)
 {
    struct sampler_info *info = &ctx->samplers[PIPE_SHADER_FRAGMENT];
 
-   info->nr_samplers = ctx->nr_fragment_samplers_saved;
    memcpy(info->samplers, ctx->fragment_samplers_saved,
           sizeof(info->samplers));
    cso_single_sampler_done(ctx, PIPE_SHADER_FRAGMENT);