Fix use of invalid iterator.

The code grabbed an iterator to a slot, but eventually does an erase of the iterator. Unfortunately, the code then attempts to use this invalid iterator which can introduce subtle crashes by putting a garbage value on the free buffer list. Bug: 28351886 Change-Id: I42a4431b182cee4de829f15fa4ddc175a3d141f7
author: Christopher Ferris <cferris@google.com> 2016-04-26 11:29:08 -0700
committer: Christopher Ferris <cferris@google.com> 2016-04-27 11:02:21 -0700
commit: 87e94cd1d16281051d5241a25035aa1db0b073d8 (patch)
tree: 6bdf3d639b443d390562a0853a9848d7c4bc3ca6 /libs/gui/BufferQueueProducer.cpp
parent: 2ee735c97c760cec76c1385f1896b822ff45cba5 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index 0b7ce174fe..73f61c5e98 100644
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp
@@ -1280,11 +1280,14 @@ void BufferQueueProducer::allocateBuffers(uint32_t width, uint32_t height,
 
                 // freeBufferLocked puts this slot on the free slots list. Since
                 // we then attached a buffer, move the slot to free buffer list.
-                mCore->mFreeSlots.erase(slot);
                 mCore->mFreeBuffers.push_front(*slot);
 
                 BQ_LOGV("allocateBuffers: allocated a new buffer in slot %d",
                         *slot);
+
+                // Make sure the erase is done after all uses of the slot
+                // iterator since it will be invalid after this point.
+                mCore->mFreeSlots.erase(slot);
             }
 
             mCore->mIsAllocating = false;
author	Christopher Ferris <cferris@google.com>	2016-04-26 11:29:08 -0700
committer	Christopher Ferris <cferris@google.com>	2016-04-27 11:02:21 -0700
commit	87e94cd1d16281051d5241a25035aa1db0b073d8 (patch)
tree	6bdf3d639b443d390562a0853a9848d7c4bc3ca6 /libs/gui/BufferQueueProducer.cpp
parent	2ee735c97c760cec76c1385f1896b822ff45cba5 (diff)