From fe4271c42d14a16935071476a685388a5ce13f7d Mon Sep 17 00:00:00 2001
From: Patrick Lerda <patrick9876@free.fr>
Date: Fri, 17 Feb 2023 03:01:37 +0100
Subject: [PATCH] vbo/save: fix possible crash related to fixup_vertex()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Indeed, buffer_in_ram could be reallocated by fixup_vertex()
which triggers this issue.

For instance, with "piglit/gl-1.0-dlist-materials -auto -fbo":
==28392==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000010024 at pc 0x7f3f416fcf18 bp 0x7f3f33d12800 sp 0x7f3f33d127f8
WRITE of size 4 at 0x607000010024 thread T6
    #0 0x7f3f416fcf17 in _save_Materialfv ../src/mesa/vbo/vbo_save_api.c:1405
    #1 0x7f3f418199de in _mesa_unmarshal_Materialfv src/mapi/glapi/gen/marshal_generated0.c:5006
    #2 0x7f3f413c6863 in glthread_unmarshal_batch ../src/mesa/main/glthread.c:65
    #3 0x7f3f4124d368 in util_queue_thread_func ../src/util/u_queue.c:309
    #4 0x7f3f41391eba in impl_thrd_routine ../src/c11/impl/threads_posix.c:67
    #5 0x7f3f4c619c6b in start_thread glibc-2.35/nptl/pthread_create.c:442
    #6 0x7f3f4c69e1fb in __clone3 (/lib64/libc.so.6+0x10c1fb)

0x607000010024 is located 20 bytes inside of 80-byte region [0x607000010010,0x607000010060)
freed by thread T6 here:
    #0 0x7f3f4f093b48 in __interceptor_realloc (/usr/lib64/libasan.so.6+0xb1b48)
    #1 0x7f3f416e5b0c in grow_vertex_storage ../src/mesa/vbo/vbo_save_api.c:417
    #2 0x7f3f416e69bc in fixup_vertex ../src/mesa/vbo/vbo_save_api.c:1266
    #3 0x7f3f416fb13e in _save_Materialfv ../src/mesa/vbo/vbo_save_api.c:1405
    #4 0x7f3f418199de in _mesa_unmarshal_Materialfv src/mapi/glapi/gen/marshal_generated0.c:5006
    #5 0x7f3f413c6863 in glthread_unmarshal_batch ../src/mesa/main/glthread.c:65
    #6 0x7f3f4124d368 in util_queue_thread_func ../src/util/u_queue.c:309
    #7 0x7f3f41391eba in impl_thrd_routine ../src/c11/impl/threads_posix.c:67
    #8 0x7f3f4c619c6b in start_thread glibc-2.35/nptl/pthread_create.c:442

Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21419>
---
 src/mesa/vbo/vbo_save_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/mesa/vbo/vbo_save_api.c b/src/mesa/vbo/vbo_save_api.c
index 49fa879cd4b4..9d8cf44eaa24 100644
--- a/src/mesa/vbo/vbo_save_api.c
+++ b/src/mesa/vbo/vbo_save_api.c
@@ -1321,10 +1321,10 @@ do {                                                            \
                                                                 \
    if (save->active_sz[A] != N) {                               \
       bool had_dangling_ref = save->dangling_attr_ref;          \
-      fi_type *dest = save->vertex_store->buffer_in_ram;        \
       if (fixup_vertex(ctx, A, N * sz, T) &&                    \
           !had_dangling_ref && save->dangling_attr_ref &&       \
           A != VBO_ATTRIB_POS) {                                \
+         fi_type *dest = save->vertex_store->buffer_in_ram;     \
          /* Copy the new attr values to the already copied      \
           * vertices.                                           \
           */                                                    \