From aef0445c6f1fbd818b594383217a13571bbd95ad Mon Sep 17 00:00:00 2001
From: ywen <ywen@codeaurora.org>
Date: Thu, 26 Mar 2015 19:51:12 +0800
Subject: [PATCH] Fix a memory corruption issue when vector resize

There is memory corruption in below code

const Rect* prev = &dst[prevIndex];
dst.add(Rect(prev->right, top, right, bottom));

prev points to a memory of vector dst, when dst resize in add()
call, the memory that prev points to will be copy to the new
allocated vector memory and the old memory will become undefined

Avoid pointer in this case, use a local copy instead

Change-Id: I4d95ceedd00c8fb615ac153082ade1b1ce0d0fa8
---
 libs/ui/Region.cpp | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/libs/ui/Region.cpp b/libs/ui/Region.cpp
index 91fa21626..53ef19371 100644
--- a/libs/ui/Region.cpp
+++ b/libs/ui/Region.cpp
@@ -130,43 +130,42 @@ static void reverseRectsResolvingJunctions(const Rect* begin, const Rect* end,
             // prevIndex can't be -1 here because if endLastSpan is set to a
             // value greater than -1 (allowing the loop to execute),
             // beginLastSpan (and therefore prevIndex) will also be increased
-            const Rect* prev = &dst[static_cast<size_t>(prevIndex)];
-
+            const Rect prev = dst[static_cast<size_t>(prevIndex)];
             if (spanDirection == direction_RTL) {
                 // iterating over previous span RTL, quit if it's too far left
-                if (prev->right <= left) break;
+                if (prev.right <= left) break;
 
-                if (prev->right > left && prev->right < right) {
-                    dst.add(Rect(prev->right, top, right, bottom));
-                    right = prev->right;
+                if (prev.right > left && prev.right < right) {
+                    dst.add(Rect(prev.right, top, right, bottom));
+                    right = prev.right;
                 }
 
-                if (prev->left > left && prev->left < right) {
-                    dst.add(Rect(prev->left, top, right, bottom));
-                    right = prev->left;
+                if (prev.left > left && prev.left < right) {
+                    dst.add(Rect(prev.left, top, right, bottom));
+                    right = prev.left;
                 }
 
                 // if an entry in the previous span is too far right, nothing further left in the
                 // current span will need it
-                if (prev->left >= right) {
+                if (prev.left >= right) {
                     beginLastSpan = prevIndex;
                 }
             } else {
                 // iterating over previous span LTR, quit if it's too far right
-                if (prev->left >= right) break;
+                if (prev.left >= right) break;
 
-                if (prev->left > left && prev->left < right) {
-                    dst.add(Rect(left, top, prev->left, bottom));
-                    left = prev->left;
+                if (prev.left > left && prev.left < right) {
+                    dst.add(Rect(left, top, prev.left, bottom));
+                    left = prev.left;
                 }
 
-                if (prev->right > left && prev->right < right) {
-                    dst.add(Rect(left, top, prev->right, bottom));
-                    left = prev->right;
+                if (prev.right > left && prev.right < right) {
+                    dst.add(Rect(left, top, prev.right, bottom));
+                    left = prev.right;
                 }
                 // if an entry in the previous span is too far left, nothing further right in the
                 // current span will need it
-                if (prev->right <= left) {
+                if (prev.right <= left) {
                     beginLastSpan = prevIndex;
                 }
             }