From 939d25f0b0d29cf422ab5f06bba9070b431e8c56 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 6 Feb 2014 14:32:18 +0200
Subject: [PATCH] android/AVRCP: Fix possible invalid read

Like in A2DP case it is not safe to call g_slist_remove within
g_slist_free_full callback.
---
 android/avrcp.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/android/avrcp.c b/android/avrcp.c
index f61ed341c..7ee5a8a0a 100644
--- a/android/avrcp.c
+++ b/android/avrcp.c
@@ -140,10 +140,15 @@ static void avrcp_device_free(void *data)
 		g_io_channel_unref(dev->io);
 	}
 
-	devices = g_slist_remove(devices, dev);
 	g_free(dev);
 }
 
+static void avrcp_device_remove(struct avrcp_device *dev)
+{
+	devices = g_slist_remove(devices, dev);
+	avrcp_device_free(dev);
+}
+
 static struct avrcp_device *avrcp_device_new(const bdaddr_t *dst)
 {
 	struct avrcp_device *dev;
@@ -171,7 +176,7 @@ static void disconnect_cb(void *data)
 
 	dev->session = NULL;
 
-	avrcp_device_free(dev);
+	avrcp_device_remove(dev);
 }
 
 static void connect_cb(GIOChannel *chan, GError *err, gpointer user_data)
@@ -362,5 +367,5 @@ void bt_avrcp_disconnect(const bdaddr_t *dst)
 		return;
 	}
 
-	avrcp_device_free(dev);
+	avrcp_device_remove(dev);
 }
-- 
2.47.3