SERVER: fix a double free in the named pipe code
Mike McCormack
mike at codeweavers.com
Thu Jul 15 10:35:40 CDT 2004
The current named pipe code frees server->flush_poll twice when
check_flushed() is called (once in notify_empty() and once when in
handle_timeout(). This leads to memory corruption and may make the
wineserver crash or hang when named pipes are used (eg. in OLE).
Thanks to Mike Hearn and Aric for helping me track this down.
Mike
ChangeLog:
* fix a double free in the named pipe code
-------------- next part --------------
Index: server/named_pipe.c
===================================================================
RCS file: /home/wine/wine/server/named_pipe.c,v
retrieving revision 1.29
diff -u -r1.29 named_pipe.c
--- server/named_pipe.c 8 Apr 2004 19:09:04 -0000 1.29
+++ server/named_pipe.c 15 Jul 2004 15:24:17 -0000
@@ -428,7 +428,13 @@
server->flush_poll = add_timeout_user( &tv, check_flushed, server );
}
else
- notify_empty( server );
+ {
+ /* notify_empty( server ); */
+ server->flush_poll = NULL;
+ set_event( server->event );
+ release_object( server->event );
+ server->event = NULL;
+ }
}
static int pipe_server_flush( struct fd *fd, struct event **event )
More information about the wine-patches
mailing list