Mesa (master): Fix read from pointer after free

[Anuj Phogat]

Module: Mesa
Branch: master
Commit: 0ed11e333147e280208d9d0b3ff3f39970547643
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=0ed11e333147e280208d9d0b3ff3f39970547643

Author: Anuj Phogat <anuj.phogat at gmail.com>
Date:   Tue Jan  3 18:12:06 2012 -0800

Fix read from pointer after free

Coverity reported a read from pointer after free defect in
src/mesa/drivers/dri/intel/intel_mipmap_tree.c. Bug# 44205
In intel_miptree_all_slices_resolve() function, i = i->next was
executing after freeing i. I have defined a temporary variable
(next) to store the value of i->next before freeing i

Reported-by: Vinson Lee <vlee at vmware.com>
Signed-off-by: Anuj Phogat <anuj.phogat at gmail.com>
Reviewed-by: Eric Anholt <eric at anholt.net>

---

 src/mesa/drivers/dri/intel/intel_mipmap_tree.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
index 60cc694..7787c1a 100644
--- a/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
+++ b/src/mesa/drivers/dri/intel/intel_mipmap_tree.c
@@ -640,12 +640,13 @@ intel_miptree_all_slices_resolve(struct intel_context *intel,
 				 resolve_func_t func)
 {
    bool did_resolve = false;
-   struct intel_resolve_map *i;
+   struct intel_resolve_map *i, *next;
 
-   for (i = mt->hiz_map.next; i; i = i->next) {
+   for (i = mt->hiz_map.next; i; i = next) {
       if (i->need != need)
 	 continue;
       func(intel, mt, i->level, i->layer);
+      next = i->next;
       intel_resolve_map_remove(i);
       did_resolve = true;
    }