From aecbe9b1192ad326ba8da9e408819be7d5527edc Mon Sep 17 00:00:00 2001
From: Axel Naumann <Axel.Naumann@cern.ch>
Date: Thu, 1 Feb 2018 15:15:53 +0100
Subject: [PATCH] Fix memory corruption in reader initialization.

For arrays, CreateProxy() can add to fValues which invalidates iterators.
Use stable, index-based iteration instead.
---
 tree/treeplayer/src/TTreeReader.cxx | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/tree/treeplayer/src/TTreeReader.cxx b/tree/treeplayer/src/TTreeReader.cxx
index 4cfa8026e5ab8..d411fbdd96763 100644
--- a/tree/treeplayer/src/TTreeReader.cxx
+++ b/tree/treeplayer/src/TTreeReader.cxx
@@ -392,12 +392,14 @@ TTreeReader::EEntryStatus TTreeReader::SetEntryBase(Long64_t entry, Bool_t local
    fMostRecentTreeNumber = fTree->GetTreeNumber();
 
    if (!fProxiesSet) {
-      // Tell readers we now have a tree
-      for (std::deque<ROOT::Internal::TTreeReaderValueBase*>::const_iterator
-              i = fValues.begin(); i != fValues.end(); ++i) { // Iterator end changes when parameterized arrays are read
-         (*i)->CreateProxy();
-
-         if (!(*i)->GetProxy()){
+      // Tell readers we now have a tree.
+      // fValues gets insertions during this loop (when parameterized arrays are read),
+      // invalidating iterators. Use old-school counting instead.
+      for (size_t i = 0; i < fValues.size(); ++i) {
+         ROOT::Internal::TTreeReaderValueBase* reader = fValues[i];
+         reader->CreateProxy();
+
+         if (!reader->GetProxy()){
             fEntryStatus = kEntryDictionaryError;
             return fEntryStatus;
          }