Please add the bugzilla reference for 107366 Tested-by: Mark Janes <mark.a.ja...@intel.com>
Jason Ekstrand <ja...@jlekstrand.net> writes: > nir_sweep assumes that constants area always allocated off the variable > to which they belong. Violating this assumption causes them to get > freed early and leads to use-after-free bugs. > > Cc: mesa-sta...@lists.freedesktop.org > --- > src/compiler/nir/nir_serialize.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/compiler/nir/nir_serialize.c > b/src/compiler/nir/nir_serialize.c > index 6a30738c2d7..43016310048 100644 > --- a/src/compiler/nir/nir_serialize.c > +++ b/src/compiler/nir/nir_serialize.c > @@ -124,7 +124,7 @@ read_constant(read_ctx *ctx, nir_variable *nvar) > > blob_copy_bytes(ctx->blob, (uint8_t *)c->values, sizeof(c->values)); > c->num_elements = blob_read_uint32(ctx->blob); > - c->elements = ralloc_array(ctx->nir, nir_constant *, c->num_elements); > + c->elements = ralloc_array(nvar, nir_constant *, c->num_elements); > for (unsigned i = 0; i < c->num_elements; i++) > c->elements[i] = read_constant(ctx, nvar); > > -- > 2.17.1 > > _______________________________________________ > mesa-stable mailing list > mesa-sta...@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/mesa-stable _______________________________________________ mesa-dev mailing list mesa-dev@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/mesa-dev
