summaryrefslogtreecommitdiff
path: root/drivers/vulkan
diff options
context:
space:
mode:
authorChibiDenDen <pdaniq@gmail.com>2023-02-20 11:54:52 +0200
committerGitHub <noreply@github.com>2023-02-20 11:54:52 +0200
commitd104d8447b6594f3372b919797c4b0d9300817ba (patch)
tree2d369f11273a26b640d9d91cc91eb314010948d2 /drivers/vulkan
parent9f68d06ec2d8dbeb237c5aa5c6f9bbcbe26bde5d (diff)
Fix use-after-free for VkAttachmentReference
In the flow where VK_KHR_CREATE_RENDERPASS_2_EXTENSION_NAME does not exist VkAttachmentReference are created inside a loop and their backing buffer is referenced in the subpass object. the VkAttachmentReference vectors are freed once the loop exists, causing the subpass to point to freed data. Add all the VkAttachmentReference to a vector in the scope of the entire function, to ensure they are not freed until vkCreateRenderPass is called
Diffstat (limited to 'drivers/vulkan')
-rw-r--r--drivers/vulkan/vulkan_context.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/vulkan/vulkan_context.cpp b/drivers/vulkan/vulkan_context.cpp
index b8cea7136d..f185a5cb88 100644
--- a/drivers/vulkan/vulkan_context.cpp
+++ b/drivers/vulkan/vulkan_context.cpp
@@ -101,6 +101,7 @@ VkResult VulkanContext::vkCreateRenderPass2KHR(VkDevice p_device, const VkRender
attachments.push_back(att);
}
+ Vector<Vector<VkAttachmentReference>> attachment_references;
Vector<VkSubpassDescription> subpasses;
for (uint32_t i = 0; i < p_create_info->subpassCount; i++) {
// Here we need to do more, again it's just stripping out type and next
@@ -124,6 +125,10 @@ VkResult VulkanContext::vkCreateRenderPass2KHR(VkDevice p_device, const VkRender
p_create_info->pSubpasses[i].preserveAttachmentCount, /* preserveAttachmentCount */
p_create_info->pSubpasses[i].pPreserveAttachments /* pPreserveAttachments */
};
+ attachment_references.push_back(input_attachments);
+ attachment_references.push_back(color_attachments);
+ attachment_references.push_back(resolve_attachments);
+ attachment_references.push_back(depth_attachments);
subpasses.push_back(subpass);
}