From d1b330de416adff0d178a5cb7271419d9ed7a89a Mon Sep 17 00:00:00 2001
From: Jamie Gennis <jgennis@google.com>
Date: Fri, 21 Sep 2012 11:55:35 -0700
Subject: [PATCH] SurfaceTexture: fix an out of bounds array write

This change fixes an issue causing the mEglContext member of a SurfaceTexture
to get incorrectly zeroed out.  This would happen when a call to
ConsumerBase::releaseBufferLocked resulted in the current buffer being freed.
Freeing the current buffer would set SurfaceTexture::mCurrentTexture to -1,
which would then be used by SurfaceTexture::releaseBufferLocked to reset the
current slot's EGLSyncKHR to EGL_NO_SYNC_KHR (= 0).  This would overwrite the
mEglContext field, resulting in context mismatch errors in
SurfaceTexture::doGLFenceWaitLocked.

The fix is to simply use the buffer slot that's passed in to
SurfaceTexture::releaseBufferLocked rather than mCurrentTexture.

Change-Id: I0e5e2bd88fcbb354c35a3744f317716fff3e0e41
---
 libs/gui/SurfaceTexture.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libs/gui/SurfaceTexture.cpp b/libs/gui/SurfaceTexture.cpp
index f2e907760..cbd8c79d1 100644
--- a/libs/gui/SurfaceTexture.cpp
+++ b/libs/gui/SurfaceTexture.cpp
@@ -200,7 +200,7 @@ status_t SurfaceTexture::releaseBufferLocked(int buf, EGLDisplay display,
     status_t err = ConsumerBase::releaseBufferLocked(buf, mEglDisplay,
            eglFence);
 
-    mEglSlots[mCurrentTexture].mEglFence = EGL_NO_SYNC_KHR;
+    mEglSlots[buf].mEglFence = EGL_NO_SYNC_KHR;
 
     return err;
 }