godotengine
/
godot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix use-after-free for VkAttachmentReference 

In the flow where VK_KHR_CREATE_RENDERPASS_2_EXTENSION_NAME does not exist
VkAttachmentReference are created inside a loop and their backing buffer is referenced in the subpass object.
the VkAttachmentReference vectors are freed once the loop exists, causing the subpass to point to freed data.

Add all the VkAttachmentReference to a vector in the scope of the entire function, to ensure they are not freed until vkCreateRenderPass is called
This commit is contained in:
ChibiDenDen 2023-02-20 11:54:52 +02:00 committed by GitHub
parent 9f68d06ec2
commit d104d8447b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/vulkan/vulkan_context.cpp
View File

@ -101,6 +101,7 @@ VkResult VulkanContext::vkCreateRenderPass2KHR(VkDevice p_device, const VkRender
attachments.push_back(att);
}
Vector<Vector<VkAttachmentReference>> attachment_references;
Vector<VkSubpassDescription> subpasses;
for (uint32_t i = 0; i < p_create_info->subpassCount; i++) {
// Here we need to do more, again it's just stripping out type and next
@ -124,6 +125,10 @@ VkResult VulkanContext::vkCreateRenderPass2KHR(VkDevice p_device, const VkRender
p_create_info->pSubpasses[i].preserveAttachmentCount, /* preserveAttachmentCount */
p_create_info->pSubpasses[i].pPreserveAttachments /* pPreserveAttachments */
};
attachment_references.push_back(input_attachments);
attachment_references.push_back(color_attachments);
attachment_references.push_back(resolve_attachments);
attachment_references.push_back(depth_attachments);
subpasses.push_back(subpass);
}