wl_egl: fix the problem caused by use_after_free

Change-Id: I2389ed6f709be843951f1e822571733e3faf4023
Signed-off-by: Joonbum Ko <joonbum.ko@samsung.com>

diff --git a/src/tpl_wl_egl_thread.c b/src/tpl_wl_egl_thread.c
index ebb010f7410e585f1612a70df289815fb43b941b..92d2816573cc8d4177291d7ba1479ecb20c924e9 100755 (executable)
--- a/src/tpl_wl_egl_thread.c
+++ b/src/tpl_wl_egl_thread.c
@@ -2274,6 +2274,7 @@ __idle_cb_buffers_finalize(void *data)
 
        int pending_cnt = 0;
        tpl_list_node_t *node = NULL;
+       tpl_list_node_t *next = NULL;
        tpl_bool_t ret = TPL_TRUE;
 
        tpl_gmutex_lock(&wl_egl_surface->surf_mutex);
@@ -2288,6 +2289,9 @@ __idle_cb_buffers_finalize(void *data)
        do {
                if (!node) break;
 
+               /* store the next node before node is freed */
+               next = __tpl_list_node_next(node);
+
                tpl_wl_egl_buffer_t wl_egl_buffer(__tpl_list_node_get_data(node));
 
                tpl_gmutex_lock(&wl_egl_buffer->mutex);
@@ -2343,13 +2347,13 @@ __idle_cb_buffers_finalize(void *data)
                                 status_to_string[status],
                                 status_to_string[RELEASED]);
 
-                       wl_egl_buffer->status = RELEASED;
+               wl_egl_buffer->status = RELEASED;
 
                tpl_gmutex_unlock(&wl_egl_buffer->mutex);
 
                tbm_surface_internal_unref(wl_egl_buffer->tbm_surface);
 
-       } while ((node = __tpl_list_node_next(node)));
+       } while ((node = next));
 
        tpl_gmutex_rec_unlock(&wl_egl_surface->buffers_mutex);