anv: fix use after free when copying nir_xfb_info (!442) · Merge requests · Mesa / mesa

Alejandro Piñeiro requested to merge apinheiro/mesa:review/fix-xfb-use-after-free into master Mar 13, 2019

After adding varyings to nir_xfb_info, I added varyings as a pointer, and replaced outputs[0] for also a pointer, so now both needed to be allocated. But anv was copying such xfb info as: *xfb_info = *xfb_info_in

So after my changes, that line was assigning the outputs pointer, instead of copying. Then xfb_info_in was freed, and that included their outputs, that now are xfb_info outputs too. Unfourtunately, as as with other use after free crashes, the crash didn't happen always, just with some configurations. And that included not crashing on Intel CI.

Thanks @jasuarez for pinging me with this issue.

anv: fix use after free when copying nir_xfb_info

Merge request reports