realtime_zsl: Avoid reading pending_request after erasure

The entry erased by:
  pending_frame_number_to_requests_.erase(result->frame_number);
is actually the `pending_request`. So after the erasure it must not be
accessed again.

This commit fixes a use-after-free bug introduced by commit 31fa05e.

Fix: 279845929
Test: CTS
Change-Id: I91197513377b5e3f7972c3f521cfbd94614ae36f

1 files changed, 4 insertions, 1 deletions

diff --git a/common/hal/google_camera_hal/realtime_zsl_result_request_processor.cc b/common/hal/google_camera_hal/realtime_zsl_result_request_processor.cc
index d9a851a..93e5844 100644
--- a/common/hal/google_camera_hal/realtime_zsl_result_request_processor.cc
+++ b/common/hal/google_camera_hal/realtime_zsl_result_request_processor.cc
@@ -407,13 +407,16 @@ void RealtimeZslResultRequestProcessor::ReturnResultDirectlyForFramesWithErrorsL
   // the callback directly. Otherwise wait until the missing pieces arrive.
   CombineErrorAndPendingEntriesToResult(error_entry, pending_request, result);
 
+  const bool has_returned_output_to_internal_stream_manager =
+      pending_request.has_returned_output_to_internal_stream_manager;
+
   if (AllDataCollected(error_entry)) {
     pending_error_frames_.erase(result->frame_number);
     pending_frame_number_to_requests_.erase(result->frame_number);
   }
 
   // Don't send result to framework if only internal raw callback
-  if (pending_request.has_returned_output_to_internal_stream_manager &&
+  if (has_returned_output_to_internal_stream_manager &&
       result->result_metadata == nullptr && result->output_buffers.size() == 0) {
     return;
   }