Fix heap corruption in quartz server registration

Paul Vriens Paul.Vriens at xs4all.nl
Thu Jan 20 15:31:19 CST 2005


On Thu, 2005-01-20 at 22:21, Mike Hearn wrote:
> On Thu, 2005-01-20 at 20:32 +0100, Paul Vriens wrote:
> > Sorry, didn't help.
> > 
> > I'm going to try Rob's suggestions now.
> 
> This patch fixes it for me.
> 
> Mike Hearn <mh at codeweavers.com>
> Fix heap corruption in quartz server registration, add
> some whitespace, break out of loop if out of memory
> 
> --- dlls/quartz/regsvr.c  (revision 109)
> +++ dlls/quartz/regsvr.c  (local)
> @@ -577,7 +577,6 @@ static HRESULT register_filters(struct r
>      IFilterMapper2* pFM2 = NULL;
>  
>      CoInitialize(NULL);
> -    
>      hr = CoCreateInstance(&CLSID_FilterMapper2, NULL, CLSCTX_INPROC_SERVER, &IID_IFilterMapper2, (LPVOID*)&pFM2);
>  
>      if (SUCCEEDED(hr)) {
> @@ -585,6 +584,7 @@ static HRESULT register_filters(struct r
>  	    REGFILTER2 rf2;
>  	    REGFILTERPINS2* prfp2;
>  	    int i;
> +
>  	    for (i = 0; list->pins[i].flags != 0xFFFFFFFF; i++) ;
>  	    rf2.dwVersion = 2;
>  	    rf2.dwMerit = list->merit;
> @@ -598,6 +598,7 @@ static HRESULT register_filters(struct r
>  		REGPINTYPES* lpMediatype;
>  		CLSID* lpClsid;
>  		int j, nbmt;
> +                
>  		for (nbmt = 0; list->pins[i].mediatypes[nbmt].majortype; nbmt++) ;
>  		/* Allocate a single buffer for regpintypes struct and clsids */
>  		lpMediatype = (REGPINTYPES*) CoTaskMemAlloc(nbmt*(sizeof(REGPINTYPES) + 2*sizeof(CLSID)));
> @@ -627,10 +628,17 @@ static HRESULT register_filters(struct r
>  		prfp2[i].clsPinCategory = NULL;
>  	    }
>  
> +	    if (FAILED(hr)) {
> +		ERR("failed to register with hresult 0x%lx\n", hr);
> +		break;
> +	    }
> +
>  	    hr = IFilterMapper2_RegisterFilter(pFM2, list->clsid, list->name, NULL, list->category, NULL, &rf2);
>  
> -	    while (i--)
> +	    while (i) {
>  		CoTaskMemFree((REGPINTYPES*)prfp2[i-1].lpMediaType);
> +		i--;
> +	    }
>  	    CoTaskMemFree(prfp2);
>  	}
>      }
> 
Let's hear it for Mike !!

Works here as well. I don't get any ERR output so I presume it's just
the change of the while() that already fixed it? 

Cheers and thanks,

Paul.




More information about the wine-devel mailing list