Re: [Mesa-dev] [PATCH] Bug 44205 - read from pointer after free
On Tue 03 Jan 2012 07:14:09 PM PST, Ian Romanick wrote: > On 01/03/2012 06:36 PM, Anuj Phogat wrote: >> Coverity reported a read from pointer after free defect in >> src/mesa/drivers/dri/intel/intel_mipmap_tree.c >> In intel_miptree_all_slices_resolve() function, i = i->next was >> executing after freeing i. I have defined a temporary variable >> (next) to store the value of i->next before freeing i >> >> Reported-by: Vinson Lee >> Signed-off-by: Anuj Phogat > > I suggest changing the short commit message to "Don't read node next > pointer after freeing node" and adding > > Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=44205 > > to the commit message. Then it's > > Reviewed-by: Ian Romanick Ian, I pushed the changes before seeing you e-mail with a modified commit message: Fix read from pointer after free Coverity reported a read from pointer after free defect in src/mesa/drivers/dri/intel/intel_mipmap_tree.c. Bug# 44205 In intel_miptree_all_slices_resolve() function, i = i->next was executing after freeing i. I have defined a temporary variable (next) to store the value of i->next before freeing i Thanks Anuj ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] [PATCH] Bug 44205 - read from pointer after free
On 01/03/2012 06:36 PM, Anuj Phogat wrote:
Coverity reported a read from pointer after free defect in
src/mesa/drivers/dri/intel/intel_mipmap_tree.c
In intel_miptree_all_slices_resolve() function, i = i->next was
executing after freeing i. I have defined a temporary variable
(next) to store the value of i->next before freeing i
Reported-by: Vinson Lee
Signed-off-by: Anuj Phogat
I suggest changing the short commit message to "Don't read node next
pointer after freeing node" and adding
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=44205
to the commit message. Then it's
Reviewed-by: Ian Romanick
---
src/mesa/drivers/dri/intel/intel_mipmap_tree.c |5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
index 60cc694..7787c1a 100644
--- a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
+++ b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
@@ -640,12 +640,13 @@ intel_miptree_all_slices_resolve(struct intel_context
*intel,
resolve_func_t func)
{
bool did_resolve = false;
- struct intel_resolve_map *i;
+ struct intel_resolve_map *i, *next;
- for (i = mt->hiz_map.next; i; i = i->next) {
+ for (i = mt->hiz_map.next; i; i = next) {
if (i->need != need)
continue;
func(intel, mt, i->level, i->layer);
+ next = i->next;
intel_resolve_map_remove(i);
did_resolve = true;
}
___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] [PATCH] Bug 44205 - read from pointer after free
On Tue, 3 Jan 2012 18:36:22 -0800, Anuj Phogat wrote: > Coverity reported a read from pointer after free defect in > src/mesa/drivers/dri/intel/intel_mipmap_tree.c > In intel_miptree_all_slices_resolve() function, i = i->next was > executing after freeing i. I have defined a temporary variable > (next) to store the value of i->next before freeing i Reviewed-by: Eric Anholt pgpSqgbeavCu3.pgp Description: PGP signature ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
