r300: Increase reference count of texture objects referenced by current state.

Fixes a use-after-free reported in
http://bugs.freedesktop.org/show_bug.cgi?id=20539, so this possibly fixes that
bug. It has been confirmed to fix
http://bugs.freedesktop.org/show_bug.cgi?id=17895 .
(cherry picked from commit c28707b50701b1cf8727be29d61e2d939c6ee58f)

4 files changed, 11 insertions, 9 deletions

diff --git a/src/mesa/drivers/dri/r300/r300_context.h b/src/mesa/drivers/dri/r300/r300_context.h
index c15e9fa3009..4a877ed9e97 100644
--- a/src/mesa/drivers/dri/r300/r300_context.h
+++ b/src/mesa/drivers/dri/r300/r300_context.h
@@ -211,7 +211,7 @@ struct r300_tex_obj {
 };
 
 struct r300_texture_env_state {
-	r300TexObjPtr texobj;
+	struct gl_texture_object *texobj;
 	GLenum format;
 	GLenum envMode;
 };
diff --git a/src/mesa/drivers/dri/r300/r300_state.c b/src/mesa/drivers/dri/r300/r300_state.c
index b756d1cc204..de4063a0630 100644
--- a/src/mesa/drivers/dri/r300/r300_state.c
+++ b/src/mesa/drivers/dri/r300/r300_state.c
@@ -1487,7 +1487,7 @@ static void r300SetupTextures(GLcontext * ctx)
 #endif
 			tmu_mappings[i] = hw_tmu;
 
-			t = r300->state.texture.unit[i].texobj;
+			t = (r300TexObjPtr) r300->state.texture.unit[i].texobj->DriverData;
 			/* XXX questionable fix for bug 9170: */
 			if (!t)
 				continue;
diff --git a/src/mesa/drivers/dri/r300/r300_texmem.c b/src/mesa/drivers/dri/r300/r300_texmem.c
index b03eefaa7c5..8d7889e9422 100644
--- a/src/mesa/drivers/dri/r300/r300_texmem.c
+++ b/src/mesa/drivers/dri/r300/r300_texmem.c
@@ -44,6 +44,7 @@ SOFTWARE.
 #include "main/colormac.h"
 #include "main/macros.h"
 #include "main/simple_list.h"
+#include "main/texobj.h"
 #include "radeon_reg.h"		/* gets definition for usleep */
 #include "r300_context.h"
 #include "r300_state.h"
@@ -71,8 +72,8 @@ void r300DestroyTexObj(r300ContextPtr rmesa, r300TexObjPtr t)
 	}
 
 	for (i = 0; i < rmesa->radeon.glCtx->Const.MaxTextureUnits; i++) {
-		if (rmesa->state.texture.unit[i].texobj == t) {
-			rmesa->state.texture.unit[i].texobj = NULL;
+		if (rmesa->state.texture.unit[i].texobj == t->base.tObj) {
+			_mesa_reference_texobj(&rmesa->state.texture.unit[i].texobj, NULL);
 		}
 	}
 }
diff --git a/src/mesa/drivers/dri/r300/r300_texstate.c b/src/mesa/drivers/dri/r300/r300_texstate.c
index e2329f04ec7..ccfeb10a0c0 100644
--- a/src/mesa/drivers/dri/r300/r300_texstate.c
+++ b/src/mesa/drivers/dri/r300/r300_texstate.c
@@ -567,19 +567,20 @@ static GLboolean r300UpdateTexture(GLcontext * ctx, int unit)
 	/* Update state if this is a different texture object to last
 	 * time.
 	 */
-	if (rmesa->state.texture.unit[unit].texobj != t) {
+	if (rmesa->state.texture.unit[unit].texobj != tObj) {
 		if (rmesa->state.texture.unit[unit].texobj != NULL) {
+			r300TexObjPtr t_old = (r300TexObjPtr) rmesa->state.texture.unit[unit].texobj->DriverData;
+
 			/* The old texture is no longer bound to this texture unit.
 			 * Mark it as such.
 			 */
 
-			rmesa->state.texture.unit[unit].texobj->base.bound &=
-			    ~(1 << unit);
+			t_old->base.bound &= ~(1 << unit);
 		}
 
-		rmesa->state.texture.unit[unit].texobj = t;
+		_mesa_reference_texobj(&rmesa->state.texture.unit[unit].texobj, tObj);
 		t->base.bound |= (1 << unit);
-		driUpdateTextureLRU((driTextureObject *) t);	/* XXX: should be locked! */
+		driUpdateTextureLRU(&t->base);	/* XXX: should be locked! */
 	}
 
 	return !t->border_fallback;