From 64e27cd87dbedf944eba3aaec2326ae80c1ef027 Mon Sep 17 00:00:00 2001 From: Mohammed Sadiq Date: Mon, 26 Jun 2023 08:05:52 +0530 Subject: [PATCH] gldriver: Fix a possible use-after-free g_hash_table_insert() frees the given key if it already exists in the hashtable. But since we use the same pointer in the following line, it will result in use-after-free. So instead, insert the key only if it doesn't exist. --- gsk/gl/gskgldriver.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/gsk/gl/gskgldriver.c b/gsk/gl/gskgldriver.c index cc27a89ef6..225cae6920 100644 --- a/gsk/gl/gskgldriver.c +++ b/gsk/gl/gskgldriver.c @@ -686,17 +686,21 @@ gsk_gl_driver_cache_texture (GskGLDriver *self, const GskTextureKey *key, guint texture_id) { - GskTextureKey *k; - g_assert (GSK_IS_GL_DRIVER (self)); g_assert (key != NULL); g_assert (texture_id > 0); g_assert (g_hash_table_contains (self->textures, GUINT_TO_POINTER (texture_id))); - k = g_memdup (key, sizeof *key); + if (!g_hash_table_contains (self->key_to_texture_id, key)) + { + GskTextureKey *k; - g_hash_table_insert (self->key_to_texture_id, k, GUINT_TO_POINTER (texture_id)); - g_hash_table_insert (self->texture_id_to_key, GUINT_TO_POINTER (texture_id), k); + k = g_memdup (key, sizeof *key); + + g_assert (!g_hash_table_contains (self->texture_id_to_key, GUINT_TO_POINTER (texture_id))); + g_hash_table_insert (self->key_to_texture_id, k, GUINT_TO_POINTER (texture_id)); + g_hash_table_insert (self->texture_id_to_key, GUINT_TO_POINTER (texture_id), k); + } } /**