Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_libhidl / 6f9074a8e1bfbb65b8f7199cdc1b0be28aa9ad04^! / . / libhidlcache / MemoryDealer.cpp
commit6f9074a8e1bfbb65b8f7199cdc1b0be28aa9ad04[log] [tgz]
authorGreg Kaiser <gkaiser@google.com>Mon Feb 25 07:13:28 2019 -0800
committerGreg Kaiser <gkaiser@google.com>Mon Feb 25 07:13:28 2019 -0800
tree9085c033cfbd6129cd8ed7c9174ab3a5f9c7324c
parentdd0490cfd2d7179960d2af6e4b6ac10054dec1af [diff] [blame]
MemoryDealer: Avoid using invalid iterator

'pos' is invalidated by the call to erase(), so we no longer
want to use it.  Instead, we reassign 'pos' to the result of
erase(), which a valid iterator.  Since that result could be
mList.end(), and since we would otherwise perform a '++pos',
we add a new check against mList.end() to break out of our
do/while loop.  Since we'll invoke the "return freed" path,
we don't need to be worried about the outer 'for' loop
incrementing 'pos' beyond the end.

Test: TreeHugger
Change-Id: Iade7ed4077318840aca9da3a4196c268c9080e7c

diff --git a/libhidlcache/MemoryDealer.cpp b/libhidlcache/MemoryDealer.cpp
index e0e18c7..e5686a7 100644
--- a/libhidlcache/MemoryDealer.cpp
+++ b/libhidlcache/MemoryDealer.cpp

@@ -221,8 +221,9 @@
                     if (p->free || !cur->size) {
                         freed = p;
                         p->size += cur->size;
-                        mList.erase(pos);
+                        pos = mList.erase(pos);
                         delete cur;
+                        if (pos == mList.end()) break;
                     }
                 }
                 if (++pos == mList.end()) break;