Fix pixel history potential use-after-free

* After resizing history events for overdraw the modification reference may no longer be valid.
baldurk · Oct 4, 2024 · cb1a292 · cb1a292
1 parent 5d0a85e
commit cb1a292
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/renderdoc/driver/d3d12/d3d12_pixelhistory.cpp b/renderdoc/driver/d3d12/d3d12_pixelhistory.cpp
@@ -2978,6 +2978,7 @@ rdcarray<PixelModification> D3D12Replay::PixelHistory(rdcarray<EventUsage> event
   {
     PixelModification &mod = history[h];
 
+    uint32_t eid = mod.eventId;
     int32_t eventIndex = cb.GetEventIndex(mod.eventId);
     if(eventIndex == -1)
     {
@@ -3036,18 +3037,22 @@ rdcarray<PixelModification> D3D12Replay::PixelHistory(rdcarray<EventUsage> event
       eventPremods[mod.eventId] = mod.preMod;
     }
 
-    for(int32_t f = 1; f < frags; f++)
     {
-      history.insert(h + 1, mod);
+      PixelModification duplicate = mod;
+      for(int32_t f = 1; f < frags; f++)
+      {
+        history.insert(h + 1, duplicate);
+      }
     }
+
     for(int32_t f = 0; f < frags; f++)
       history[h + f].fragIndex = f;
     h += RDCMAX(1, frags);
     RDCDEBUG(
         "PixelHistory event id: %u, fixed shader stencilValue = %u, "
         "original shader stencilValue = "
         "%u",
-        mod.eventId, ei.dsWithoutShaderDiscard[0], ei.dsWithShaderDiscard[0]);
+        eid, ei.dsWithoutShaderDiscard[0], ei.dsWithShaderDiscard[0]);
   }
 
   if(eventsWithFrags.size() > 0)

diff --git a/renderdoc/driver/vulkan/vk_pixelhistory.cpp b/renderdoc/driver/vulkan/vk_pixelhistory.cpp
@@ -4627,6 +4627,7 @@ rdcarray<PixelModification> VulkanReplay::PixelHistory(rdcarray<EventUsage> even
   {
     PixelModification &mod = history[h];
 
+    uint32_t eid = mod.eventId;
     int32_t eventIndex = cb.GetEventIndex(mod.eventId);
     if(eventIndex == -1)
     {
@@ -4685,7 +4686,7 @@ rdcarray<PixelModification> VulkanReplay::PixelHistory(rdcarray<EventUsage> even
     RDCDEBUG(
         "PixelHistory event id: %u, fixed shader stencilValue = %u, original shader stencilValue = "
         "%u",
-        mod.eventId, ei.dsWithoutShaderDiscard[4], ei.dsWithShaderDiscard[4]);
+        eid, ei.dsWithoutShaderDiscard[4], ei.dsWithShaderDiscard[4]);
   }
   m_pDriver->vkUnmapMemory(dev, resources.bufferMemory);