diff options
| author | Michel Dänzer <daenzer@vmware.com> | 2009-04-30 13:21:08 +0200 |
|---|---|---|
| committer | Michel Dänzer <daenzer@vmware.com> | 2009-04-30 13:21:08 +0200 |
| commit | c28707b50701b1cf8727be29d61e2d939c6ee58f (patch) | |
| tree | 97266614c6e162f4730427c2e4e33f547fcd9def | |
| parent | ba27fe3710af4933a16278a3e97162bef1737b56 (diff) | |
r300: Increase reference count of texture objects referenced by current state.
Fixes a use-after-free reported in
http://bugs.freedesktop.org/show_bug.cgi?id=20539, so this possibly fixes that
bug. It has been confirmed to fix
http://bugs.freedesktop.org/show_bug.cgi?id=17895 .
| -rw-r--r-- | src/mesa/drivers/dri/r300/r300_context.h | 2 | ||||
| -rw-r--r-- | src/mesa/drivers/dri/r300/r300_state.c | 2 | ||||
| -rw-r--r-- | src/mesa/drivers/dri/r300/r300_texmem.c | 5 | ||||
| -rw-r--r-- | src/mesa/drivers/dri/r300/r300_texstate.c | 11 |
4 files changed, 11 insertions, 9 deletions
diff --git a/src/mesa/drivers/dri/r300/r300_context.h b/src/mesa/drivers/dri/r300/r300_context.h index 9c49586998..96a3205f1a 100644 --- a/src/mesa/drivers/dri/r300/r300_context.h +++ b/src/mesa/drivers/dri/r300/r300_context.h @@ -215,7 +215,7 @@ struct r300_tex_obj { }; struct r300_texture_env_state { - r300TexObjPtr texobj; + struct gl_texture_object *texobj; GLenum format; GLenum envMode; }; diff --git a/src/mesa/drivers/dri/r300/r300_state.c b/src/mesa/drivers/dri/r300/r300_state.c index 6b79aa4313..79f0b3625c 100644 --- a/src/mesa/drivers/dri/r300/r300_state.c +++ b/src/mesa/drivers/dri/r300/r300_state.c @@ -1362,7 +1362,7 @@ static void r300SetupTextures(GLcontext * ctx) #endif tmu_mappings[i] = hw_tmu; - t = r300->state.texture.unit[i].texobj; + t = (r300TexObjPtr) r300->state.texture.unit[i].texobj->DriverData; /* XXX questionable fix for bug 9170: */ if (!t) continue; diff --git a/src/mesa/drivers/dri/r300/r300_texmem.c b/src/mesa/drivers/dri/r300/r300_texmem.c index 0fe51b0c68..a89ab83d94 100644 --- a/src/mesa/drivers/dri/r300/r300_texmem.c +++ b/src/mesa/drivers/dri/r300/r300_texmem.c @@ -44,6 +44,7 @@ SOFTWARE. #include "main/colormac.h" #include "main/macros.h" #include "main/simple_list.h" +#include "main/texobj.h" #include "radeon_reg.h" /* gets definition for usleep */ #include "r300_context.h" #include "r300_state.h" @@ -71,8 +72,8 @@ void r300DestroyTexObj(r300ContextPtr rmesa, r300TexObjPtr t) } for (i = 0; i < rmesa->radeon.glCtx->Const.MaxTextureUnits; i++) { - if (rmesa->state.texture.unit[i].texobj == t) { - rmesa->state.texture.unit[i].texobj = NULL; + if (rmesa->state.texture.unit[i].texobj == t->base.tObj) { + _mesa_reference_texobj(&rmesa->state.texture.unit[i].texobj, NULL); } } } diff --git a/src/mesa/drivers/dri/r300/r300_texstate.c b/src/mesa/drivers/dri/r300/r300_texstate.c index cadec7f3ec..abe613e27b 100644 --- a/src/mesa/drivers/dri/r300/r300_texstate.c +++ b/src/mesa/drivers/dri/r300/r300_texstate.c @@ -567,19 +567,20 @@ static GLboolean r300UpdateTexture(GLcontext * ctx, int unit) /* Update state if this is a different texture object to last * time. */ - if (rmesa->state.texture.unit[unit].texobj != t) { + if (rmesa->state.texture.unit[unit].texobj != tObj) { if (rmesa->state.texture.unit[unit].texobj != NULL) { + r300TexObjPtr t_old = (r300TexObjPtr) rmesa->state.texture.unit[unit].texobj->DriverData; + /* The old texture is no longer bound to this texture unit. * Mark it as such. */ - rmesa->state.texture.unit[unit].texobj->base.bound &= - ~(1 << unit); + t_old->base.bound &= ~(1 << unit); } - rmesa->state.texture.unit[unit].texobj = t; + _mesa_reference_texobj(&rmesa->state.texture.unit[unit].texobj, tObj); t->base.bound |= (1 << unit); - driUpdateTextureLRU((driTextureObject *) t); /* XXX: should be locked! */ + driUpdateTextureLRU(&t->base); /* XXX: should be locked! */ } return !t->border_fallback; |