Commit 05b069b0 authored by Julian Eisel's avatar Julian Eisel 💬

Fix two use-after-free's and multiple memory leaks

parent af051523
Pipeline #78803 passed with stages
in 15 minutes and 35 seconds
......@@ -463,15 +463,7 @@ vk_swapchain_create_image_views(struct vk_swapchain *sc)
void
vk_swapchain_cleanup(struct vk_swapchain *sc)
{
for (uint32_t i = 0; i < sc->image_count; i++) {
if (sc->buffers[i].view == VK_NULL_HANDLE) {
continue;
}
sc->vk->vkDestroyImageView(sc->vk->device, sc->buffers[i].view,
NULL);
sc->buffers[i].view = VK_NULL_HANDLE;
}
vk_swapchain_destroy_image_views(sc);
if (sc->swap_chain != VK_NULL_HANDLE) {
sc->vk->vkDestroySwapchainKHR(sc->vk->device, sc->swap_chain,
......
......@@ -9,6 +9,7 @@
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
......@@ -238,6 +239,8 @@ comp_distortion_destroy(struct comp_distortion *d)
vk->vkDestroyPipeline(vk->device, d->pipeline, NULL);
vk->vkDestroyPipelineLayout(vk->device, d->pipeline_layout, NULL);
free(d);
}
static void
......
......@@ -91,6 +91,10 @@ gui_scene_manager_init(struct gui_program *p)
extern "C" void
gui_scene_manager_destroy(struct gui_program *p)
{
for (auto scene : p->gsm->scenes) {
scene->destroy(scene, p);
}
delete p->gsm;
p->gsm = NULL;
}
......@@ -215,13 +215,19 @@ interaction_profile_find_or_create(struct oxr_logger *log,
return true;
}
static void
reset_binding_keys(struct oxr_binding *binding)
{
free(binding->keys);
binding->keys = NULL;
binding->num_keys = 0;
}
static void
reset_all_keys(struct oxr_binding *bindings, size_t num_bindings)
{
for (size_t x = 0; x < num_bindings; x++) {
free(bindings[x].keys);
bindings[x].keys = NULL;
bindings[x].num_keys = 0;
reset_binding_keys(&bindings[x]);
}
}
......@@ -331,6 +337,8 @@ oxr_binding_destroy_all(struct oxr_logger *log, struct oxr_instance *inst)
for (size_t y = 0; y < p->num_bindings; y++) {
struct oxr_binding *b = &p->bindings[y];
reset_binding_keys(b);
free(b->paths);
free(b->inputs);
free(b->outputs);
......@@ -346,6 +354,8 @@ oxr_binding_destroy_all(struct oxr_logger *log, struct oxr_instance *inst)
free(p->bindings);
p->bindings = NULL;
p->num_bindings = 0;
free(p);
}
free(inst->profiles);
......
......@@ -152,8 +152,9 @@ oxr_poll_event(struct oxr_logger *log,
return XR_EVENT_UNAVAILABLE;
}
XrResult ret = event->result;
memcpy(eventData, oxr_event_extra(event), event->length);
free(event);
return event->result;
return ret;
}
......@@ -22,6 +22,20 @@
oxr_log(log, " Handle Lifecycle: " __VA_ARGS__); \
}
// Variation of HANDLE_LIFECYCLE_LOG() to wrap a handle free() which might
// potentially free the instance (in which logger info is stored).
#define HANDLE_LIFECYCLE_LOG_SCOPED_BEGIN(log) \
{ \
const bool _log_lifecycle_verbose = \
log->inst != NULL && log->inst->lifecycle_verbose;
#define HANDLE_LIFECYCLE_LOG_SCOPED_END \
} \
(void)0
#define HANDLE_LIFECYCLE_LOG_SCOPED(log, ...) \
if (_log_lifecycle_verbose) { \
oxr_log(log, " Handle Lifecycle: " __VA_ARGS__); \
}
const char *
oxr_handle_state_to_string(enum oxr_handle_state state)
......@@ -171,17 +185,23 @@ oxr_handle_do_destroy(struct oxr_logger *log,
}
}
/* Destroy self */
HANDLE_LIFECYCLE_LOG(
log, "[%d: destroying %p] Calling handle object destructor", level,
(void *)hb);
hb->state = OXR_HANDLE_STATE_DESTROYED;
XrResult result = hb->destroy(log, hb);
if (result != XR_SUCCESS) {
return result;
/* Might destroy instance, which log needs, so use secured variant */
HANDLE_LIFECYCLE_LOG_SCOPED_BEGIN(log)
{
/* Destroy self */
HANDLE_LIFECYCLE_LOG_SCOPED(
log, "[%d: destroying %p] Calling handle object destructor",
level, (void *)hb);
hb->state = OXR_HANDLE_STATE_DESTROYED;
XrResult result = hb->destroy(log, hb);
if (result != XR_SUCCESS) {
return result;
}
HANDLE_LIFECYCLE_LOG_SCOPED(log, "r%d: destroying %p] Done",
level, (void *)hb);
}
HANDLE_LIFECYCLE_LOG(log, "[%d: destroying %p] Done", level,
(void *)hb);
HANDLE_LIFECYCLE_LOG_SCOPED_END;
return XR_SUCCESS;
}
......@@ -191,13 +211,20 @@ oxr_handle_destroy(struct oxr_logger *log, struct oxr_handle_base *hb)
assert(log != NULL);
assert(hb != NULL);
HANDLE_LIFECYCLE_LOG(
log, "[~: destroying %p] oxr_handle_destroy starting", (void *)hb);
/* Might destroy instance, which log needs, so use secured variant */
HANDLE_LIFECYCLE_LOG_SCOPED_BEGIN(log)
{
HANDLE_LIFECYCLE_LOG_SCOPED(
log, "[~: destroying %p] oxr_handle_destroy starting",
(void *)hb);
XrResult result = oxr_handle_do_destroy(log, hb, 0);
XrResult result = oxr_handle_do_destroy(log, hb, 0);
HANDLE_LIFECYCLE_LOG(
log, "[~: destroying %p] oxr_handle_destroy finished", (void *)hb);
HANDLE_LIFECYCLE_LOG_SCOPED(
log, "[~: destroying %p] oxr_handle_destroy finished",
(void *)hb);
return result;
return result;
}
HANDLE_LIFECYCLE_LOG_SCOPED_END;
}
......@@ -588,6 +588,9 @@ oxr_session_destroy(struct oxr_logger *log, struct oxr_handle_base *hb)
// Does a null-ptr check.
xrt_comp_destroy(&sess->compositor);
u_hashmap_int_destroy(&sess->act_sets);
u_hashmap_int_destroy(&sess->sources);
free(sess);
return XR_SUCCESS;
......
......@@ -98,7 +98,9 @@ oxr_swapchain_destroy(struct oxr_logger *log, struct oxr_handle_base *hb)
{
struct oxr_swapchain *sc = (struct oxr_swapchain *)hb;
return sc->destroy(log, sc);
XrResult ret = sc->destroy(log, sc);
free(sc);
return ret;
}
XrResult
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment