From 45a12c3204b9c624f0e6e386de04faf4cb6a0a70 Mon Sep 17 00:00:00 2001 From: Daniel Lehman Date: Mon, 19 Jul 2021 14:19:34 -0700 Subject: [PATCH] gdi32: Fix double-free on repeated calls to Delete[Enh]MetaFile. Signed-off-by: Daniel Lehman --- dlls/gdi32/gdiobj.c | 1 + dlls/gdi32/tests/metafile.c | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/dlls/gdi32/gdiobj.c b/dlls/gdi32/gdiobj.c index 9059f817636..f56b8891d84 100644 --- a/dlls/gdi32/gdiobj.c +++ b/dlls/gdi32/gdiobj.c @@ -916,6 +916,7 @@ BOOL WINAPI NtGdiDeleteObjectApp( HGDIOBJ obj ) return TRUE; } + entry->UserPointer = 0; obj = entry_to_handle( entry ); /* make it a full handle */ hdcs_head = header->hdcs; diff --git a/dlls/gdi32/tests/metafile.c b/dlls/gdi32/tests/metafile.c index 0e2a5aa4cec..cd661c27bc9 100644 --- a/dlls/gdi32/tests/metafile.c +++ b/dlls/gdi32/tests/metafile.c @@ -3032,7 +3032,13 @@ static void test_metafile_file(void) EnumMetaFile(0, metafile, mf_enum_proc, 0); } - DeleteMetaFile(metafile); + ret = DeleteMetaFile(metafile); + ok(ret, "Could not delete metafile: %u\n", GetLastError()); + + SetLastError(0xdeadbeef); + ret = DeleteMetaFile(metafile); + ok(!ret, "DeleteMetaFile succeeded\n"); + ok(GetLastError() == ERROR_INVALID_HANDLE, "GetLastError() = %u\n", GetLastError()); SetLastError(0xdeadbeef); metafile = CloseMetaFile(dc); @@ -3127,7 +3133,13 @@ static void test_enhmetafile_file(void) dump_emf_records(metafile, "emf_Bezier"); } - DeleteEnhMetaFile(metafile); + ret = DeleteEnhMetaFile(metafile); + ok(ret, "Could not delete emf: %u\n", GetLastError()); + + SetLastError(0xdeadbeef); + ret = DeleteEnhMetaFile(metafile); + ok(!ret, "DeleteEnhMetaFile succeeded\n"); + ok(GetLastError() == ERROR_INVALID_HANDLE, "GetLastError() = %u\n", GetLastError()); SetLastError(0xdeadbeef); metafile = CloseEnhMetaFile(dc); -- 2.27.0