From: Brian Paul Date: Fri, 23 May 2014 20:59:33 +0000 (-0600) Subject: glsl: fix use-after free bug/crash in ast_declarator_list::hir() X-Git-Tag: upstream/10.3~1822 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f9cecca7a6e3d9ff231075381b88d179e153a5a4;p=platform%2Fupstream%2Fmesa.git glsl: fix use-after free bug/crash in ast_declarator_list::hir() The call to get_variable_being_redeclared() may delete 'var' so we can't reference var->name afterward. We fix that by examining the var's name before making that call. Fixes valgrind warnings and possible crash when running the piglit tests/spec/glsl-1.30/execution/clipping/vs-clip-distance-in-param.shader_test test (and probably others). Cc: "10.1 10.2" Reviewed-by: Ian Romanick --- diff --git a/src/glsl/ast_to_hir.cpp b/src/glsl/ast_to_hir.cpp index 0128b3f..e06f9b4 100644 --- a/src/glsl/ast_to_hir.cpp +++ b/src/glsl/ast_to_hir.cpp @@ -3651,11 +3651,15 @@ ast_declarator_list::hir(exec_list *instructions, * instruction stream. */ exec_list initializer_instructions; + + /* Examine var name here since var may get deleted in the next call */ + bool var_is_gl_id = (strncmp(var->name, "gl_", 3) == 0); + ir_variable *earlier = get_variable_being_redeclared(var, decl->get_location(), state, false /* allow_all_redeclarations */); if (earlier != NULL) { - if (strncmp(var->name, "gl_", 3) == 0 && + if (var_is_gl_id && earlier->data.how_declared == ir_var_declared_in_block) { _mesa_glsl_error(&loc, state, "`%s' has already been redeclared using "