|
| 1 | +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Geoff Lang <geofflang@chromium.org> |
| 3 | +Date: Fri, 27 Mar 2020 12:24:52 -0400 |
| 4 | +Subject: Update the active texture cache before changing the texture binding. |
| 5 | + |
| 6 | +When a new texture is bound, the texture binding state is updated before |
| 7 | +updating the active texture cache. With this ordering, it is possible to delete |
| 8 | +the currently bound texture when the binding changes and then use-after-free it |
| 9 | +when updating the active texture cache. |
| 10 | + |
| 11 | +BUG=angleproject:1065186 |
| 12 | + |
| 13 | +Change-Id: Id6d56b6c6db423755b195cda1e5cf1bcb1ee7aee |
| 14 | +Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/2124588 |
| 15 | +Commit-Queue: Geoff Lang <geofflang@chromium.org> |
| 16 | +Reviewed-by: Jamie Madill <jmadill@chromium.org> |
| 17 | + |
| 18 | +diff --git a/src/libANGLE/State.cpp b/src/libANGLE/State.cpp |
| 19 | +index b15fcfc3fc1bef30f4afd2320e5eb11dbea7dea0..a5b0b778dd30ad6568826c7a88c28cbe5ab29228 100644 |
| 20 | +--- a/src/libANGLE/State.cpp |
| 21 | ++++ b/src/libANGLE/State.cpp |
| 22 | +@@ -1144,14 +1144,14 @@ void State::setActiveSampler(unsigned int active) |
| 23 | + |
| 24 | + void State::setSamplerTexture(const Context *context, TextureType type, Texture *texture) |
| 25 | + { |
| 26 | +- mSamplerTextures[type][mActiveSampler].set(context, texture); |
| 27 | +- |
| 28 | + if (mProgram && mProgram->getActiveSamplersMask()[mActiveSampler] && |
| 29 | + mProgram->getActiveSamplerTypes()[mActiveSampler] == type) |
| 30 | + { |
| 31 | + updateActiveTexture(context, mActiveSampler, texture); |
| 32 | + } |
| 33 | + |
| 34 | ++ mSamplerTextures[type][mActiveSampler].set(context, texture); |
| 35 | ++ |
| 36 | + mDirtyBits.set(DIRTY_BIT_TEXTURE_BINDINGS); |
| 37 | + } |
| 38 | + |
0 commit comments