[cogl/wip/smcv/test-premult-use-after-free] test-premult: Don't free texture data until CoglBitmap is freed

From: Simon McVittie <smcv src gnome org>
To: commits-list gnome org
Cc:
Subject: [cogl/wip/smcv/test-premult-use-after-free] test-premult: Don't free texture data until CoglBitmap is freed
Date: Fri, 6 Sep 2019 08:02:47 +0000 (UTC)
commit 76592f6415ec3210eac4f4104f2d563856fd7ff4
Author: Simon McVittie <smcv debian org>
Date:   Sun Aug 25 16:44:07 2019 +0100

    test-premult: Don't free texture data until CoglBitmap is freed
    
    According to the cogl_bitmap_new_for_data documentation, the data is not
    copied, so the application must keep the buffer alive for the lifetime
    of the CoglBitmap. Freeing it too early led to a use-after-free in the
    cogl unit tests.
    
    ==6223==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100001a500 at pc 0x7f3e2d4e7f4e bp 
0x7ffcd9c41f30 sp 0x7ffcd9c416e0
    READ of size 4096 at 0x62100001a500 thread T0
        #0 0x7f3e2d4e7f4d  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x96f4d)
        #1 0x7f3e260c7f6b in util_copy_box ../src/gallium/auxiliary/util/u_surface.c:131
        #2 0x7f3e268c6c10 in u_default_texture_subdata ../src/gallium/auxiliary/util/u_transfer.c:67
        #3 0x7f3e26486459 in st_TexSubImage ../src/mesa/state_tracker/st_cb_texture.c:1480
        #4 0x7f3e26487029 in st_TexImage ../src/mesa/state_tracker/st_cb_texture.c:1709
        #5 0x7f3e26487029 in st_TexImage ../src/mesa/state_tracker/st_cb_texture.c:1691
        #6 0x7f3e2644bdba in teximage ../src/mesa/main/teximage.c:3105
        #7 0x7f3e2644bdba in teximage_err ../src/mesa/main/teximage.c:3132
        #8 0x7f3e2644d84f in _mesa_TexImage2D ../src/mesa/main/teximage.c:3170
        #9 0x7f3e2cd1f7df in _cogl_texture_driver_upload_to_gl driver/gl/gl/cogl-texture-driver-gl.c:347
        #10 0x7f3e2ccd441b in allocate_from_bitmap driver/gl/cogl-texture-2d-gl.c:255
        #11 0x7f3e2ccd441b in _cogl_texture_2d_gl_allocate driver/gl/cogl-texture-2d-gl.c:462
        #12 0x7f3e2ce3a6c0 in cogl_texture_allocate cogl/cogl-texture.c:1398
        #13 0x7f3e2ce3e116 in _cogl_texture_pre_paint cogl/cogl-texture.c:359
        #14 0x7f3e2cdee177 in _cogl_pipeline_layer_pre_paint cogl/cogl-pipeline-layer.c:864
        #15 0x7f3e2cd574af in _cogl_rectangles_validate_layer_cb cogl/cogl-primitives.c:542
        #16 0x7f3e2cdd742f in cogl_pipeline_foreach_layer cogl/cogl-pipeline.c:735
        #17 0x7f3e2cd5c8b0 in _cogl_framebuffer_draw_multitextured_rectangles cogl/cogl-primitives.c:658
        #18 0x7f3e2cd60152 in cogl_rectangle cogl/cogl-primitives.c:858
        #19 0x5570a71ed6a0 in check_texture tests/conform/test-premult.c:103
        #20 0x5570a71ed946 in test_premult tests/conform/test-premult.c:159
        #21 0x5570a71df0d6 in main tests/conform/test-conform-main.c:58
        #22 0x7f3e2bcd809a in __libc_start_main ../csu/libc-start.c:308
        #23 0x5570a71e0869 in _start (/home/smcv/src/debian/cogl/tests/conform/.libs/test-conformance+0x33869)
    
    0x62100001a500 is located 0 bytes inside of 4096-byte region [0x62100001a500,0x62100001b500)
    freed by thread T0 here:
        #0 0x7f3e2d5581d7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x1071d7)
        #1 0x5570a71ed58b in make_texture tests/conform/test-premult.c:69
    
    previously allocated by thread T0 here:
        #0 0x7f3e2d558588 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107588)
        #1 0x7f3e2d384500 in g_malloc ../../../glib/gmem.c:99
    
    Signed-off-by: Simon McVittie <smcv debian org>

 tests/conform/test-premult.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
---
diff --git a/tests/conform/test-premult.c b/tests/conform/test-premult.c
index 816c4873..7475f6a8 100644
--- a/tests/conform/test-premult.c
+++ b/tests/conform/test-premult.c
@@ -49,6 +49,7 @@ make_texture (uint32_t color,
              CoglPixelFormat src_format,
               MakeTextureFlags flags)
 {
+  static CoglUserDataKey bitmap_free_key;
   CoglTexture2D *tex_2d;
   guchar *tex_data = gen_tex_data (color);
   CoglBitmap *bmp = cogl_bitmap_new_for_data (test_ctx,
@@ -57,6 +58,10 @@ make_texture (uint32_t color,
                                               src_format,
                                               QUAD_WIDTH * 4,
                                               tex_data);
+  cogl_object_set_user_data (COGL_OBJECT (bmp),
+                             &bitmap_free_key,
+                             tex_data,
+                             g_free);
 
   tex_2d = cogl_texture_2d_new_from_bitmap (bmp);
 
@@ -66,7 +71,6 @@ make_texture (uint32_t color,
     cogl_texture_set_premultiplied (tex_2d, FALSE);
 
   cogl_object_unref (bmp);
-  g_free (tex_data);
 
   return tex_2d;
 }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]