From c3bf10d19a925504a6b11999a9d24dfa1b79aa05 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Sun, 25 Aug 2019 16:44:07 +0100 Subject: [PATCH] cogl test-premult: Don't free texture data until CoglBitmap is freed According to the cogl_bitmap_new_for_data documentation, the data is not copied, so the application must keep the buffer alive for the lifetime of the CoglBitmap. Freeing it too early led to a use-after-free in the cogl unit tests. With that fixed, the test passes, so remove the known failure annotation. This AddressSanitizer trace is from the original cogl, but the bug and fix apply equally to mutter's fork of cogl: ==6223==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100001a500 at pc 0x7f3e2d4e7f4e bp 0x7ffcd9c41f30 sp 0x7ffcd9c416e0 READ of size 4096 at 0x62100001a500 thread T0 #0 0x7f3e2d4e7f4d (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x96f4d) #1 0x7f3e260c7f6b in util_copy_box ../src/gallium/auxiliary/util/u_surface.c:131 #2 0x7f3e268c6c10 in u_default_texture_subdata ../src/gallium/auxiliary/util/u_transfer.c:67 #3 0x7f3e26486459 in st_TexSubImage ../src/mesa/state_tracker/st_cb_texture.c:1480 #4 0x7f3e26487029 in st_TexImage ../src/mesa/state_tracker/st_cb_texture.c:1709 #5 0x7f3e26487029 in st_TexImage ../src/mesa/state_tracker/st_cb_texture.c:1691 #6 0x7f3e2644bdba in teximage ../src/mesa/main/teximage.c:3105 #7 0x7f3e2644bdba in teximage_err ../src/mesa/main/teximage.c:3132 #8 0x7f3e2644d84f in _mesa_TexImage2D ../src/mesa/main/teximage.c:3170 #9 0x7f3e2cd1f7df in _cogl_texture_driver_upload_to_gl driver/gl/gl/cogl-texture-driver-gl.c:347 #10 0x7f3e2ccd441b in allocate_from_bitmap driver/gl/cogl-texture-2d-gl.c:255 #11 0x7f3e2ccd441b in _cogl_texture_2d_gl_allocate driver/gl/cogl-texture-2d-gl.c:462 #12 0x7f3e2ce3a6c0 in cogl_texture_allocate cogl/cogl-texture.c:1398 #13 0x7f3e2ce3e116 in _cogl_texture_pre_paint cogl/cogl-texture.c:359 #14 0x7f3e2cdee177 in _cogl_pipeline_layer_pre_paint cogl/cogl-pipeline-layer.c:864 #15 0x7f3e2cd574af in _cogl_rectangles_validate_layer_cb cogl/cogl-primitives.c:542 #16 0x7f3e2cdd742f in cogl_pipeline_foreach_layer cogl/cogl-pipeline.c:735 #17 0x7f3e2cd5c8b0 in _cogl_framebuffer_draw_multitextured_rectangles cogl/cogl-primitives.c:658 #18 0x7f3e2cd60152 in cogl_rectangle cogl/cogl-primitives.c:858 #19 0x5570a71ed6a0 in check_texture tests/conform/test-premult.c:103 #20 0x5570a71ed946 in test_premult tests/conform/test-premult.c:159 #21 0x5570a71df0d6 in main tests/conform/test-conform-main.c:58 #22 0x7f3e2bcd809a in __libc_start_main ../csu/libc-start.c:308 #23 0x5570a71e0869 in _start (/home/smcv/src/debian/cogl/tests/conform/.libs/test-conformance+0x33869) 0x62100001a500 is located 0 bytes inside of 4096-byte region [0x62100001a500,0x62100001b500) freed by thread T0 here: #0 0x7f3e2d5581d7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x1071d7) #1 0x5570a71ed58b in make_texture tests/conform/test-premult.c:69 previously allocated by thread T0 here: #0 0x7f3e2d558588 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107588) #1 0x7f3e2d384500 in g_malloc ../../../glib/gmem.c:99 This was originally cogl!12. https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1274 Signed-off-by: Simon McVittie --- cogl/tests/conform/test-conform-main.c | 2 +- cogl/tests/conform/test-premult.c | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/cogl/tests/conform/test-conform-main.c b/cogl/tests/conform/test-conform-main.c index 73f72c846..5afa0ed8f 100644 --- a/cogl/tests/conform/test-conform-main.c +++ b/cogl/tests/conform/test-conform-main.c @@ -55,7 +55,7 @@ main (int argc, char **argv) ADD_TEST (test_pipeline_user_matrix, 0, 0); ADD_TEST (test_blend_strings, 0, 0); ADD_TEST (test_blend, 0, 0); - ADD_TEST (test_premult, 0, TEST_KNOWN_FAILURE); + ADD_TEST (test_premult, 0, 0); UNPORTED_TEST (test_readpixels); ADD_TEST (test_depth_test, 0, 0); ADD_TEST (test_backface_culling, 0, TEST_REQUIREMENT_NPOT); diff --git a/cogl/tests/conform/test-premult.c b/cogl/tests/conform/test-premult.c index 70a67318a..cd0687d94 100644 --- a/cogl/tests/conform/test-premult.c +++ b/cogl/tests/conform/test-premult.c @@ -50,6 +50,7 @@ make_texture (uint32_t color, CoglPixelFormat src_format, MakeTextureFlags flags) { + static CoglUserDataKey bitmap_free_key; CoglTexture2D *tex_2d; guchar *tex_data = gen_tex_data (color); CoglBitmap *bmp = cogl_bitmap_new_for_data (test_ctx, @@ -58,6 +59,10 @@ make_texture (uint32_t color, src_format, QUAD_WIDTH * 4, tex_data); + cogl_object_set_user_data (COGL_OBJECT (bmp), + &bitmap_free_key, + tex_data, + g_free); tex_2d = cogl_texture_2d_new_from_bitmap (bmp); @@ -67,7 +72,6 @@ make_texture (uint32_t color, cogl_texture_set_premultiplied (tex_2d, FALSE); cogl_object_unref (bmp); - g_free (tex_data); return tex_2d; }