From 87e94cd1d16281051d5241a25035aa1db0b073d8 Mon Sep 17 00:00:00 2001
From: Christopher Ferris <cferris@google.com>
Date: Tue, 26 Apr 2016 11:29:08 -0700
Subject: Fix use of invalid iterator.

The code grabbed an iterator to a slot, but eventually does an erase
of the iterator. Unfortunately, the code then attempts to use this
invalid iterator which can introduce subtle crashes by putting a
garbage value on the free buffer list.

Bug: 28351886
Change-Id: I42a4431b182cee4de829f15fa4ddc175a3d141f7
---
 libs/gui/BufferQueueProducer.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'libs/gui/BufferQueueProducer.cpp')

diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index 0b7ce174fe..73f61c5e98 100644
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp
@@ -1280,11 +1280,14 @@ void BufferQueueProducer::allocateBuffers(uint32_t width, uint32_t height,
 
                 // freeBufferLocked puts this slot on the free slots list. Since
                 // we then attached a buffer, move the slot to free buffer list.
-                mCore->mFreeSlots.erase(slot);
                 mCore->mFreeBuffers.push_front(*slot);
 
                 BQ_LOGV("allocateBuffers: allocated a new buffer in slot %d",
                         *slot);
+
+                // Make sure the erase is done after all uses of the slot
+                // iterator since it will be invalid after this point.
+                mCore->mFreeSlots.erase(slot);
             }
 
             mCore->mIsAllocating = false;
-- 
cgit v1.2.3-59-g8ed1b