diff options
| author | Simon McVittie <smcv@debian.org> | 2019-08-25 16:44:07 +0100 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2019-09-06 08:58:15 +0100 |
| commit | 76592f6415ec3210eac4f4104f2d563856fd7ff4 (patch) | |
| tree | 72322e2669077f8deeabbcbd81c8c0d577209209 | |
| parent | 0ca04949294aeb1bc96e051ed00c92dee36688c3 (diff) | |
| download | cogl-wip/smcv/test-premult-use-after-free.tar.gz | |
test-premult: Don't free texture data until CoglBitmap is freedwip/smcv/test-premult-use-after-free
According to the cogl_bitmap_new_for_data documentation, the data is not
copied, so the application must keep the buffer alive for the lifetime
of the CoglBitmap. Freeing it too early led to a use-after-free in the
cogl unit tests.
==6223==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100001a500 at pc 0x7f3e2d4e7f4e bp 0x7ffcd9c41f30 sp 0x7ffcd9c416e0
READ of size 4096 at 0x62100001a500 thread T0
#0 0x7f3e2d4e7f4d (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x96f4d)
#1 0x7f3e260c7f6b in util_copy_box ../src/gallium/auxiliary/util/u_surface.c:131
#2 0x7f3e268c6c10 in u_default_texture_subdata ../src/gallium/auxiliary/util/u_transfer.c:67
#3 0x7f3e26486459 in st_TexSubImage ../src/mesa/state_tracker/st_cb_texture.c:1480
#4 0x7f3e26487029 in st_TexImage ../src/mesa/state_tracker/st_cb_texture.c:1709
#5 0x7f3e26487029 in st_TexImage ../src/mesa/state_tracker/st_cb_texture.c:1691
#6 0x7f3e2644bdba in teximage ../src/mesa/main/teximage.c:3105
#7 0x7f3e2644bdba in teximage_err ../src/mesa/main/teximage.c:3132
#8 0x7f3e2644d84f in _mesa_TexImage2D ../src/mesa/main/teximage.c:3170
#9 0x7f3e2cd1f7df in _cogl_texture_driver_upload_to_gl driver/gl/gl/cogl-texture-driver-gl.c:347
#10 0x7f3e2ccd441b in allocate_from_bitmap driver/gl/cogl-texture-2d-gl.c:255
#11 0x7f3e2ccd441b in _cogl_texture_2d_gl_allocate driver/gl/cogl-texture-2d-gl.c:462
#12 0x7f3e2ce3a6c0 in cogl_texture_allocate cogl/cogl-texture.c:1398
#13 0x7f3e2ce3e116 in _cogl_texture_pre_paint cogl/cogl-texture.c:359
#14 0x7f3e2cdee177 in _cogl_pipeline_layer_pre_paint cogl/cogl-pipeline-layer.c:864
#15 0x7f3e2cd574af in _cogl_rectangles_validate_layer_cb cogl/cogl-primitives.c:542
#16 0x7f3e2cdd742f in cogl_pipeline_foreach_layer cogl/cogl-pipeline.c:735
#17 0x7f3e2cd5c8b0 in _cogl_framebuffer_draw_multitextured_rectangles cogl/cogl-primitives.c:658
#18 0x7f3e2cd60152 in cogl_rectangle cogl/cogl-primitives.c:858
#19 0x5570a71ed6a0 in check_texture tests/conform/test-premult.c:103
#20 0x5570a71ed946 in test_premult tests/conform/test-premult.c:159
#21 0x5570a71df0d6 in main tests/conform/test-conform-main.c:58
#22 0x7f3e2bcd809a in __libc_start_main ../csu/libc-start.c:308
#23 0x5570a71e0869 in _start (/home/smcv/src/debian/cogl/tests/conform/.libs/test-conformance+0x33869)
0x62100001a500 is located 0 bytes inside of 4096-byte region [0x62100001a500,0x62100001b500)
freed by thread T0 here:
#0 0x7f3e2d5581d7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x1071d7)
#1 0x5570a71ed58b in make_texture tests/conform/test-premult.c:69
previously allocated by thread T0 here:
#0 0x7f3e2d558588 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107588)
#1 0x7f3e2d384500 in g_malloc ../../../glib/gmem.c:99
Signed-off-by: Simon McVittie <smcv@debian.org>
| -rw-r--r-- | tests/conform/test-premult.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/tests/conform/test-premult.c b/tests/conform/test-premult.c index 816c4873..7475f6a8 100644 --- a/tests/conform/test-premult.c +++ b/tests/conform/test-premult.c @@ -49,6 +49,7 @@ make_texture (uint32_t color, CoglPixelFormat src_format, MakeTextureFlags flags) { + static CoglUserDataKey bitmap_free_key; CoglTexture2D *tex_2d; guchar *tex_data = gen_tex_data (color); CoglBitmap *bmp = cogl_bitmap_new_for_data (test_ctx, @@ -57,6 +58,10 @@ make_texture (uint32_t color, src_format, QUAD_WIDTH * 4, tex_data); + cogl_object_set_user_data (COGL_OBJECT (bmp), + &bitmap_free_key, + tex_data, + g_free); tex_2d = cogl_texture_2d_new_from_bitmap (bmp); @@ -66,7 +71,6 @@ make_texture (uint32_t color, cogl_texture_set_premultiplied (tex_2d, FALSE); cogl_object_unref (bmp); - g_free (tex_data); return tex_2d; } |