translator: Fix use-after-free with DepthRange.

Because this builtin uses a structure, certain shaders could trigger the mangled name to be allocated during normal shader compilation. Then when the scope is popped, the mangled name for DepthRange is freed, and we're left with a dangling pointer. Fix this temporarily by enforcing mangled name construction when we initialize the builtins, but we should look for a more robust and future-proof fix. BUG=620937 Change-Id: If130c8b48a18054502abaec08f10264f282b4925 Reviewed-on: https://chromium-review.googlesource.com/354494Reviewed-by: Corentin Wallez <cwallez@chromium.org> Reviewed-by: Antoine Labour <piman@google.com> Commit-Queue: Jamie Madill <jmadill@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/360480Reviewed-by: Jamie Madill <jmadill@chromium.org>

translator: Fix use-after-free with DepthRange.
f07246f6 · Jamie Madill · 392c3de4 · f07246f6 · f07246f6
Commit f07246f6 authored Jun 21, 2016 by Jamie Madill
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 12 deletions

Initialize.cpp src/compiler/translator/Initialize.cpp +9 -4

Types.h src/compiler/translator/Types.h +22 -8

No files found.
--- a/src/compiler/translator/Initialize.cpp
+++ b/src/compiler/translator/Initialize.cpp
@@ -436,17 +436,22 @@ void InsertBuiltInFunctions(sh::GLenum type, ShShaderSpec spec, const ShBuiltInR
    //
    TFieldList *fields = NewPoolTFieldList();
    TSourceLoc zeroSourceLoc = {0, 0, 0, 0};
-    TField *near = new TField(new TType(EbtFloat, EbpHigh, EvqGlobal, 1), NewPoolTString("near"), zeroSourceLoc);
+    auto highpFloat1         = new TType(EbtFloat, EbpHigh, EvqGlobal, 1);
-    TField *far = new TField(new TType(EbtFloat, EbpHigh, EvqGlobal, 1), NewPoolTString("far"), zeroSourceLoc);
+    TField *near             = new TField(highpFloat1, NewPoolTString("near"), zeroSourceLoc);
-    TField *diff = new TField(new TType(EbtFloat, EbpHigh, EvqGlobal, 1), NewPoolTString("diff"), zeroSourceLoc);
+    TField *far              = new TField(highpFloat1, NewPoolTString("far"), zeroSourceLoc);
+    TField *diff             = new TField(highpFloat1, NewPoolTString("diff"), zeroSourceLoc);
    fields->push_back(near);
    fields->push_back(far);
    fields->push_back(diff);
    TStructure *depthRangeStruct = new TStructure(NewPoolTString("gl_DepthRangeParameters"), fields);
-    TVariable *depthRangeParameters = new TVariable(&depthRangeStruct->name(), depthRangeStruct, true);
+    TVariable *depthRangeParameters =
+        new TVariable(&depthRangeStruct->name(), TType(depthRangeStruct), true);
    symbolTable.insert(COMMON_BUILTINS, depthRangeParameters);
    TVariable *depthRange = new TVariable(NewPoolTString("gl_DepthRange"), TType(depthRangeStruct));
    depthRange->setQualifier(EvqUniform);
+    // Ensure we evaluate the mangled name for depth range, so we allocate to the current scope.
+    depthRangeParameters->getType().getMangledName();
+    depthRange->getType().getMangledName();
    symbolTable.insert(COMMON_BUILTINS, depthRange);
    //

--- a/src/compiler/translator/Types.h
+++ b/src/compiler/translator/Types.h
@@ -241,11 +241,18 @@ class TType
          interfaceBlock(nullptr), structure(nullptr)
    {
    }
-    TType(TBasicType t, unsigned char ps = 1, unsigned char ss = 1)
+    explicit TType(TBasicType t, unsigned char ps = 1, unsigned char ss = 1)
-        : type(t), precision(EbpUndefined), qualifier(EvqGlobal), invariant(false),
+        : type(t),
+          precision(EbpUndefined),
+          qualifier(EvqGlobal),
+          invariant(false),
          layoutQualifier(TLayoutQualifier::create()),
-          primarySize(ps), secondarySize(ss), array(false), arraySize(0),
+          primarySize(ps),
-          interfaceBlock(0), structure(0)
+          secondarySize(ss),
+          array(false),
+          arraySize(0),
+          interfaceBlock(0),
+          structure(0)
    {
    }
    TType(TBasicType t, TPrecision p, TQualifier q = EvqTemporary,
@@ -257,11 +264,18 @@ class TType
    {
    }
    explicit TType(const TPublicType &p);
-    TType(TStructure *userDef, TPrecision p = EbpUndefined)
+    explicit TType(TStructure *userDef, TPrecision p = EbpUndefined)
-        : type(EbtStruct), precision(p), qualifier(EvqTemporary), invariant(false),
+        : type(EbtStruct),
+          precision(p),
+          qualifier(EvqTemporary),
+          invariant(false),
          layoutQualifier(TLayoutQualifier::create()),
-          primarySize(1), secondarySize(1), array(false), arraySize(0),
+          primarySize(1),
-          interfaceBlock(0), structure(userDef)
+          secondarySize(1),
+          array(false),
+          arraySize(0),
+          interfaceBlock(0),
+          structure(userDef)
    {
    }
    TType(TInterfaceBlock *interfaceBlockIn, TQualifier qualifierIn,