Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
vbo/save: fix possible crash related to fixup_vertex()
Indeed, buffer_in_ram could be reallocated by fixup_vertex()
which triggers this issue.
For instance, with "piglit/gl-1.0-dlist-materials -auto -fbo":
==28392==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000010024 at pc 0x7f3f416fcf18 bp 0x7f3f33d12800 sp 0x7f3f33d127f8
WRITE of size 4 at 0x607000010024 thread T6
#0 0x7f3f416fcf17 in _save_Materialfv ../src/mesa/vbo/vbo_save_api.c:1405
#1 0x7f3f418199de in _mesa_unmarshal_Materialfv src/mapi/glapi/gen/marshal_generated0.c:5006
#2 0x7f3f413c6863 in glthread_unmarshal_batch ../src/mesa/main/glthread.c:65
#3 0x7f3f4124d368 in util_queue_thread_func ../src/util/u_queue.c:309
#4 0x7f3f41391eba in impl_thrd_routine ../src/c11/impl/threads_posix.c:67
#5 0x7f3f4c619c6b in start_thread glibc-2.35/nptl/pthread_create.c:442
#6 0x7f3f4c69e1fb in __clone3 (/lib64/libc.so.6+0x10c1fb)
0x607000010024 is located 20 bytes inside of 80-byte region [0x607000010010,0x607000010060)
freed by thread T6 here:
#0 0x7f3f4f093b48 in __interceptor_realloc (/usr/lib64/libasan.so.6+0xb1b48)
#1 0x7f3f416e5b0c in grow_vertex_storage ../src/mesa/vbo/vbo_save_api.c:417
#2 0x7f3f416e69bc in fixup_vertex ../src/mesa/vbo/vbo_save_api.c:1266
#3 0x7f3f416fb13e in _save_Materialfv ../src/mesa/vbo/vbo_save_api.c:1405
#4 0x7f3f418199de in _mesa_unmarshal_Materialfv src/mapi/glapi/gen/marshal_generated0.c:5006
#5 0x7f3f413c6863 in glthread_unmarshal_batch ../src/mesa/main/glthread.c:65
#6 0x7f3f4124d368 in util_queue_thread_func ../src/util/u_queue.c:309
#7 0x7f3f41391eba in impl_thrd_routine ../src/c11/impl/threads_posix.c:67
#8 0x7f3f4c619c6b in start_thread glibc-2.35/nptl/pthread_create.c:442
Signed-off-by: Patrick Lerda <[email protected]>
Reviewed-by: Marek Olšák <[email protected]>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21419>- Loading branch information