Commit 0fe401c
committed
gfx/drivers/d3d9hlsl: NULL-check realloc in d3d9_hlsl_convert_macro_loops
Six realloc sites inside d3d9_hlsl_convert_macro_loops had no NULL
check at all, just
while (opos + N >= cap)
{ cap *= 2; out = (char*)realloc(out, cap); }
memcpy(out + opos, ...);
On OOM realloc returns NULL, the self-assign overwrites the only
pointer to the old buffer (leaking it), and the very next line
memcpys into NULL+opos - a segfault crash during Cg-style HLSL
shader preprocessing.
This function rewrites macro-unrolled loops in Cg shaders into
HLSL [loop] form. It runs during shader-preset compilation, so
every slang preset load that contains a qualifying macro
(pattern: single-param function-like #define called N times with
monotonically increasing integer arguments, N >= 4) hits this
code path. Shader presets are user-provided and can be
arbitrary size; a memory-tight system loading a big CRT-Royale-
style preset at the wrong moment will crash here rather than
fail gracefully.
The other five callers inside the function (lines ~5749, 5760,
5772, 5786, 5795, 5803 pre-patch) all had the same bug. All six
are fixed by switching to the realloc-into-tmp idiom:
while (opos + N >= cap)
{
char *tmp;
cap *= 2;
if (!(tmp = (char*)realloc(out, cap)))
{ free(out); return NULL; }
out = tmp;
}
This also plugs the self-assign leak that the pre-patch form
would have triggered on OOM - since we free(out) on the failure
path, the old buffer is reclaimed before we return NULL.
Thread-safety: unchanged. Shader compilation runs on whichever
thread loads the preset; d3d9_hlsl_convert_macro_loops does not
touch any shared state beyond the const-source argument.
Reachability: every Cg-style macro-expanded shader preset load
on the D3D9-HLSL backend. The worst of the crash modes (writes
past end of buffer on OOM) has been latent for as long as this
preprocessing pass has been in tree.
Scope: this commit only fixes the six sites in
d3d9_hlsl_convert_macro_loops. The surrounding 8200-line file
has ~13 more realloc-assign-self patterns in other HLSL-fixup
functions (d3d9_hlsl_preprocess_includes, d3d9_hlsl_add_struct_
semantics, d3d9_hlsl_decompose_struct_samplers,
d3d9_hlsl_fixup_cg_source, and the d3d9_hlsl_buf_append helper)
that have the same leak-on-OOM pattern but do NULL-check after
the realloc so they don't crash - just leak and return NULL.
Those are worth fixing too but are a separate follow-up; this
commit focuses on the six crash sites.1 parent eebab97 commit 0fe401c
1 file changed
Lines changed: 42 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5746 | 5746 | | |
5747 | 5747 | | |
5748 | 5748 | | |
5749 | | - | |
| 5749 | + | |
| 5750 | + | |
| 5751 | + | |
| 5752 | + | |
| 5753 | + | |
| 5754 | + | |
| 5755 | + | |
5750 | 5756 | | |
5751 | 5757 | | |
5752 | 5758 | | |
| |||
5757 | 5763 | | |
5758 | 5764 | | |
5759 | 5765 | | |
5760 | | - | |
| 5766 | + | |
| 5767 | + | |
| 5768 | + | |
| 5769 | + | |
| 5770 | + | |
| 5771 | + | |
| 5772 | + | |
5761 | 5773 | | |
5762 | 5774 | | |
5763 | 5775 | | |
| |||
5769 | 5781 | | |
5770 | 5782 | | |
5771 | 5783 | | |
5772 | | - | |
| 5784 | + | |
| 5785 | + | |
| 5786 | + | |
| 5787 | + | |
| 5788 | + | |
| 5789 | + | |
| 5790 | + | |
5773 | 5791 | | |
5774 | 5792 | | |
5775 | 5793 | | |
| |||
5783 | 5801 | | |
5784 | 5802 | | |
5785 | 5803 | | |
5786 | | - | |
| 5804 | + | |
| 5805 | + | |
| 5806 | + | |
| 5807 | + | |
| 5808 | + | |
| 5809 | + | |
| 5810 | + | |
5787 | 5811 | | |
5788 | 5812 | | |
5789 | 5813 | | |
| |||
5792 | 5816 | | |
5793 | 5817 | | |
5794 | 5818 | | |
5795 | | - | |
| 5819 | + | |
| 5820 | + | |
| 5821 | + | |
| 5822 | + | |
| 5823 | + | |
| 5824 | + | |
| 5825 | + | |
5796 | 5826 | | |
5797 | 5827 | | |
5798 | 5828 | | |
5799 | 5829 | | |
5800 | 5830 | | |
5801 | 5831 | | |
5802 | 5832 | | |
5803 | | - | |
| 5833 | + | |
| 5834 | + | |
| 5835 | + | |
| 5836 | + | |
| 5837 | + | |
| 5838 | + | |
| 5839 | + | |
5804 | 5840 | | |
5805 | 5841 | | |
5806 | 5842 | | |
| |||
0 commit comments