Module: Mesa Branch: staging/18.1 Commit: e7576d62e1bd7e230b51ca938da679cb51e049bc URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=e7576d62e1bd7e230b51ca938da679cb51e049bc
Author: Jason Ekstrand <[email protected]> Date: Tue Jul 24 11:01:20 2018 -0700 nir/serialize: Alloc constants off the variable nir_sweep assumes that constants area always allocated off the variable to which they belong. Violating this assumption causes them to get freed early and leads to use-after-free bugs. Fixes: 120da00975541 "nir: add serialization and deserialization" Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107366 Reviewed-by: Lionel Landwerlin <[email protected]> Tested-by: Mark Janes <[email protected]> (cherry picked from commit f214baf72ff89ba03342067f89c38b4bc84e298b) --- src/compiler/nir/nir_serialize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/compiler/nir/nir_serialize.c b/src/compiler/nir/nir_serialize.c index 00df49c2ef..cf77e756fc 100644 --- a/src/compiler/nir/nir_serialize.c +++ b/src/compiler/nir/nir_serialize.c @@ -124,7 +124,7 @@ read_constant(read_ctx *ctx, nir_variable *nvar) blob_copy_bytes(ctx->blob, (uint8_t *)c->values, sizeof(c->values)); c->num_elements = blob_read_uint32(ctx->blob); - c->elements = ralloc_array(ctx->nir, nir_constant *, c->num_elements); + c->elements = ralloc_array(nvar, nir_constant *, c->num_elements); for (unsigned i = 0; i < c->num_elements; i++) c->elements[i] = read_constant(ctx, nvar); _______________________________________________ mesa-commit mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/mesa-commit
