Mesa (7.11): apple: Fix a use after free

[Jeremy Huddleston]

Module: Mesa
Branch: 7.11
Commit: 1fa6c87c88ad8494355431ba5134236e8f819a74
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=1fa6c87c88ad8494355431ba5134236e8f819a74

Author: Jonas Maebe <jonas.maebe at elis.ugent.be>
Date:   Mon Apr 23 16:02:16 2012 -0700

apple: Fix a use after free

Reviewed-by: Jeremy Huddleston <jeremyhu at apple.com>
(cherry picked from commit c60ffd2840036af1ea6f2b6c6e1e9014bb8e2c34)

---

 src/glx/apple/apple_glx_surface.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/glx/apple/apple_glx_surface.c b/src/glx/apple/apple_glx_surface.c
index 39f5130..d42fa3b 100644
--- a/src/glx/apple/apple_glx_surface.c
+++ b/src/glx/apple/apple_glx_surface.c
@@ -206,6 +206,10 @@ apple_glx_surface_destroy(unsigned int uid)
    if (d) {
       d->types.surface.pending_destroy = true;
       d->release(d);
+
+      /* apple_glx_drawable_find_by_uid returns a locked drawable */
+      d->unlock(d);
+
       /* 
        * We release 2 references to the surface.  One was acquired by
        * the find, and the other was leftover from a context, or 
@@ -217,7 +221,5 @@ apple_glx_surface_destroy(unsigned int uid)
        * by a glViewport callback (see apple_glx_context_update()).
        */
       d->destroy(d);
-
-      d->unlock(d);
    }
 }