gpu: Fix CHECK failure found by ClusterFuzz

ClusterFuzz found a case where the transfer buffer could be resized
after we finish using a ScopedResultPtr but before it goes out of scope.
This cleans up the dangling pointer by reducing its scope.

Bug: 905889, 906409
Change-Id: I9e4aec8ed8f66df15404719c2589f775b433c3cd
Reviewed-on: https://chromium-review.googlesource.com/c/1351783Reviewed-by: Antoine Labour <piman@chromium.org>
Commit-Queue: James Darpinian <jdarpinian@chromium.org>
Cr-Commit-Position: refs/heads/master@{#611158}

gpu/command_buffer/client/implementation_base.cc

@@ -189,16 +189,22 @@ bool ImplementationBase::GetBucketContents(uint32_t bucket_id,
   if (!buffer.valid()) {
     return false;
   }
-  typedef cmd::GetBucketStart::Result Result;
-  auto result = GetResultAs<Result>();
-  if (!result) {
-    return false;
+  uint32_t size = 0;
+  {
+    // The Result pointer must be scoped to this block because it can be
+    // invalidated below if resizing the ScopedTransferBufferPtr causes the
+    // transfer buffer to be reallocated.
+    typedef cmd::GetBucketStart::Result Result;
+    auto result = GetResultAs<Result>();
+    if (!result) {
+      return false;
+    }
+    *result = 0;
+    helper_->GetBucketStart(bucket_id, GetResultShmId(), result.offset(),
+                            buffer.size(), buffer.shm_id(), buffer.offset());
+    WaitForCmd();
+    size = *result;
   }
-  *result = 0;
-  helper_->GetBucketStart(bucket_id, GetResultShmId(), result.offset(),
-                          buffer.size(), buffer.shm_id(), buffer.offset());
-  WaitForCmd();
-  uint32_t size = *result;
   data->resize(size);
   if (size > 0u) {
     uint32_t offset = 0;