gallium/u_threaded: add missing reference counts for draw_multi slots

If a glMultiDrawElementsEXT() call doesn't fit into a single slot, the same pipe_resource pointer is copied into all following slots, the completion of each will decrement the reference counter; however, it was never incremented for all but the first slot. This fixes a use-after-free bug with glMultiDrawElementsEXT(). Cc: mesa-stable Reviewed-by: Marek Olšák <marek.olsak@amd.com> Reviewed-By: Mike Blumenkrantz <michael.blumenkrantz@gmail.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/18189>
2022-08-22 20:10:46 +02:00
parent f90f04d501
commit 0a0fb7cbc6
1 changed files with 8 additions and 1 deletions
--- a/src/gallium/auxiliary/util/u_threaded_context.c
+++ b/src/gallium/auxiliary/util/u_threaded_context.c
@@ -3517,7 +3517,14 @@ tc_draw_vbo(struct pipe_context *_pipe, const struct pipe_draw_info *info,
            tc_add_slot_based_call(tc, TC_CALL_draw_multi, tc_draw_multi,
                                   dr);
         memcpy(&p->info, info, DRAW_INFO_SIZE_WITHOUT_INDEXBUF_AND_MIN_MAX_INDEX);
-         p->info.index.resource = buffer;
+
+         if (total_offset == 0)
+            /* the first slot inherits the reference from u_upload_alloc() */
+            p->info.index.resource = buffer;
+         else
+            /* all following slots need a new reference */
+            tc_set_resource_reference(&p->info.index.resource, buffer);
+
         p->num_draws = dr;

         /* Upload index buffers. */