On 01/03/2012 06:36 PM, Anuj Phogat wrote:
Coverity reported a read from pointer after free defect in
src/mesa/drivers/dri/intel/intel_mipmap_tree.c
In intel_miptree_all_slices_resolve() function, i = i->next was
executing after freeing i. I have defined a temporary variable
(next) to store the value of i->next before freeing i
Reported-by: Vinson Lee<v...@vmware.com>
Signed-off-by: Anuj Phogat<anuj.pho...@gmail.com>
I suggest changing the short commit message to "Don't read node next
pointer after freeing node" and adding
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=44205
to the commit message. Then it's
Reviewed-by: Ian Romanick <ian.d.roman...@intel.com>
---
src/mesa/drivers/dri/intel/intel_mipmap_tree.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
index 60cc694..7787c1a 100644
--- a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
+++ b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
@@ -640,12 +640,13 @@ intel_miptree_all_slices_resolve(struct intel_context
*intel,
resolve_func_t func)
{
bool did_resolve = false;
- struct intel_resolve_map *i;
+ struct intel_resolve_map *i, *next;
- for (i = mt->hiz_map.next; i; i = i->next) {
+ for (i = mt->hiz_map.next; i; i = next) {
if (i->need != need)
continue;
func(intel, mt, i->level, i->layer);
+ next = i->next;
intel_resolve_map_remove(i);
did_resolve = true;
}
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev
