From d104d8447b6594f3372b919797c4b0d9300817ba Mon Sep 17 00:00:00 2001 From: ChibiDenDen Date: Mon, 20 Feb 2023 11:54:52 +0200 Subject: Fix use-after-free for VkAttachmentReference In the flow where VK_KHR_CREATE_RENDERPASS_2_EXTENSION_NAME does not exist VkAttachmentReference are created inside a loop and their backing buffer is referenced in the subpass object. the VkAttachmentReference vectors are freed once the loop exists, causing the subpass to point to freed data. Add all the VkAttachmentReference to a vector in the scope of the entire function, to ensure they are not freed until vkCreateRenderPass is called --- drivers/vulkan/vulkan_context.cpp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'drivers') diff --git a/drivers/vulkan/vulkan_context.cpp b/drivers/vulkan/vulkan_context.cpp index b8cea7136d..f185a5cb88 100644 --- a/drivers/vulkan/vulkan_context.cpp +++ b/drivers/vulkan/vulkan_context.cpp @@ -101,6 +101,7 @@ VkResult VulkanContext::vkCreateRenderPass2KHR(VkDevice p_device, const VkRender attachments.push_back(att); } + Vector> attachment_references; Vector subpasses; for (uint32_t i = 0; i < p_create_info->subpassCount; i++) { // Here we need to do more, again it's just stripping out type and next @@ -124,6 +125,10 @@ VkResult VulkanContext::vkCreateRenderPass2KHR(VkDevice p_device, const VkRender p_create_info->pSubpasses[i].preserveAttachmentCount, /* preserveAttachmentCount */ p_create_info->pSubpasses[i].pPreserveAttachments /* pPreserveAttachments */ }; + attachment_references.push_back(input_attachments); + attachment_references.push_back(color_attachments); + attachment_references.push_back(resolve_attachments); + attachment_references.push_back(depth_attachments); subpasses.push_back(subpass); } -- cgit v1.2.3