diff options
| author |  Ethan Nicholas <ethannicholas@google.com> | 2017-07-18 13:22:37 -0400 |
|---|---|---|
| committer |  Skia Commit-Bot <skia-commit-bot@chromium.org> | 2017-07-18 17:44:34 +0000 |
| commit | c432b0ca8a5022d86f0ccf2efd1064ed9fce2e53 (patch) | |
| tree | 404b91918e85034437bc3bdf87be39ecb0f0c3b1 /src | |
| parent | 140635504c40b99debb0e714aca8d90652aa6aff (diff) | |
fixed use-after-free in sksl switch statements
Bug: skia:
Change-Id: I66ef1cd2af9c654bfa40a71b2218cfde49f3a54e
Reviewed-on: https://skia-review.googlesource.com/24329
Reviewed-by: Brian Salomon <bsalomon@google.com>
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/sksl/SkSLCompiler.cpp | 2 | ||||
| -rw-r--r-- | src/sksl/SkSLIRGenerator.cpp | 3 | ||||
| -rw-r--r-- | src/sksl/ir/SkSLSwitchStatement.h | 7 |
3 files changed, 9 insertions, 3 deletions
diff --git a/src/sksl/SkSLCompiler.cpp b/src/sksl/SkSLCompiler.cpp index 3a037e798e..0584ff157b 100644 --- a/src/sksl/SkSLCompiler.cpp +++ b/src/sksl/SkSLCompiler.cpp @@ -846,7 +846,7 @@ static std::unique_ptr<Statement> block_for_case(SwitchStatement* s, SwitchCase* for (const auto& s : statementPtrs) { statements.push_back(std::move(*s)); } - return std::unique_ptr<Statement>(new Block(Position(), std::move(statements))); + return std::unique_ptr<Statement>(new Block(Position(), std::move(statements), s->fSymbols)); } void Compiler::simplifyStatement(DefinitionMap& definitions, diff --git a/src/sksl/SkSLIRGenerator.cpp b/src/sksl/SkSLIRGenerator.cpp index 1af37227af..22e2642310 100644 --- a/src/sksl/SkSLIRGenerator.cpp +++ b/src/sksl/SkSLIRGenerator.cpp @@ -457,7 +457,8 @@ std::unique_ptr<Statement> IRGenerator::convertSwitch(const ASTSwitchStatement& std::move(statements))); } return std::unique_ptr<Statement>(new SwitchStatement(s.fPosition, s.fIsStatic, - std::move(value), std::move(cases))); + std::move(value), std::move(cases), + fSymbolTable)); } std::unique_ptr<Statement> IRGenerator::convertExpressionStatement( diff --git a/src/sksl/ir/SkSLSwitchStatement.h b/src/sksl/ir/SkSLSwitchStatement.h index 3837554b0d..dec5b749a5 100644 --- a/src/sksl/ir/SkSLSwitchStatement.h +++ b/src/sksl/ir/SkSLSwitchStatement.h @@ -18,10 +18,12 @@ namespace SkSL { */ struct SwitchStatement : public Statement { SwitchStatement(Position position, bool isStatic, std::unique_ptr<Expression> value, - std::vector<std::unique_ptr<SwitchCase>> cases) + std::vector<std::unique_ptr<SwitchCase>> cases, + const std::shared_ptr<SymbolTable> symbols) : INHERITED(position, kSwitch_Kind) , fIsStatic(isStatic) , fValue(std::move(value)) + , fSymbols(std::move(symbols)) , fCases(std::move(cases)) {} String description() const override { @@ -39,6 +41,9 @@ struct SwitchStatement : public Statement { bool fIsStatic; std::unique_ptr<Expression> fValue; + // it's important to keep fCases defined after (and thus destroyed before) fSymbols, because + // destroying statements can modify reference counts in symbols + const std::shared_ptr<SymbolTable> fSymbols; std::vector<std::unique_ptr<SwitchCase>> fCases; typedef Statement INHERITED; |