Fix use of invalid iterator.

The code grabbed an iterator to a slot, but eventually does an erase
of the iterator. Unfortunately, the code then attempts to use this
invalid iterator which can introduce subtle crashes by putting a
garbage value on the free buffer list.

Bug: 28351886
Change-Id: I42a4431b182cee4de829f15fa4ddc175a3d141f7

diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index 0b7ce17..73f61c5 100644 (file)
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp
@@ -1280,11 +1280,14 @@ void BufferQueueProducer::allocateBuffers(uint32_t width, uint32_t height,
 
                 // freeBufferLocked puts this slot on the free slots list. Since
                 // we then attached a buffer, move the slot to free buffer list.
-                mCore->mFreeSlots.erase(slot);
                 mCore->mFreeBuffers.push_front(*slot);
 
                 BQ_LOGV("allocateBuffers: allocated a new buffer in slot %d",
                         *slot);
+
+                // Make sure the erase is done after all uses of the slot
+                // iterator since it will be invalid after this point.
+                mCore->mFreeSlots.erase(slot);
             }
 
             mCore->mIsAllocating = false;