SERVER: fix a double free in the named pipe code

Mike McCormack mike at codeweavers.com
Thu Jul 15 10:35:40 CDT 2004


The current named pipe code frees server->flush_poll twice when 
check_flushed() is called (once in notify_empty() and once when in 
handle_timeout().  This leads to memory corruption and may make the 
wineserver crash or hang when named pipes are used (eg. in OLE).

Thanks to Mike Hearn and Aric for helping me track this down.

Mike


ChangeLog:
* fix a double free in the named pipe code
-------------- next part --------------
Index: server/named_pipe.c
===================================================================
RCS file: /home/wine/wine/server/named_pipe.c,v
retrieving revision 1.29
diff -u -r1.29 named_pipe.c
--- server/named_pipe.c	8 Apr 2004 19:09:04 -0000	1.29
+++ server/named_pipe.c	15 Jul 2004 15:24:17 -0000
@@ -428,7 +428,13 @@
         server->flush_poll = add_timeout_user( &tv, check_flushed, server );
     }
     else
-        notify_empty( server );
+    {
+        /* notify_empty( server ); */
+        server->flush_poll = NULL;
+        set_event( server->event );
+        release_object( server->event );
+        server->event = NULL;
+    }
 }
 
 static int pipe_server_flush( struct fd *fd, struct event **event )


More information about the wine-patches mailing list