From e71f9b54c0c04d27b6a98ecaf4f9df9138e832d0 Mon Sep 17 00:00:00 2001
From: Joonbum Ko <joonbum.ko@samsung.com>
Date: Tue, 2 Jul 2024 09:55:44 +0900
Subject: [PATCH] wl_egl: fix the problem caused by use_after_free

Change-Id: I2389ed6f709be843951f1e822571733e3faf4023
Signed-off-by: Joonbum Ko <joonbum.ko@samsung.com>
---
 src/tpl_wl_egl_thread.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/tpl_wl_egl_thread.c b/src/tpl_wl_egl_thread.c
index ebb010f..92d2816 100755
--- a/src/tpl_wl_egl_thread.c
+++ b/src/tpl_wl_egl_thread.c
@@ -2274,6 +2274,7 @@ __idle_cb_buffers_finalize(void *data)
 
 	int pending_cnt = 0;
 	tpl_list_node_t *node = NULL;
+	tpl_list_node_t *next = NULL;
 	tpl_bool_t ret = TPL_TRUE;
 
 	tpl_gmutex_lock(&wl_egl_surface->surf_mutex);
@@ -2288,6 +2289,9 @@ __idle_cb_buffers_finalize(void *data)
 	do {
 		if (!node) break;
 
+		/* store the next node before node is freed */
+		next = __tpl_list_node_next(node);
+
 		tpl_wl_egl_buffer_t wl_egl_buffer(__tpl_list_node_get_data(node));
 
 		tpl_gmutex_lock(&wl_egl_buffer->mutex);
@@ -2343,13 +2347,13 @@ __idle_cb_buffers_finalize(void *data)
 				 status_to_string[status],
 				 status_to_string[RELEASED]);
 
-			wl_egl_buffer->status = RELEASED;
+		wl_egl_buffer->status = RELEASED;
 
 		tpl_gmutex_unlock(&wl_egl_buffer->mutex);
 
 		tbm_surface_internal_unref(wl_egl_buffer->tbm_surface);
 
-	} while ((node = __tpl_list_node_next(node)));
+	} while ((node = next));
 
 	tpl_gmutex_rec_unlock(&wl_egl_surface->buffers_mutex);
 
-- 
2.34.1