Thomas Faber : comctl32: Avoid use-after-free in DPA_Merge (DPH).
Alexandre Julliard
julliard at wine.codeweavers.com
Mon Apr 20 08:24:42 CDT 2015
Module: wine
Branch: master
Commit: 13b65faf4e758439afc5139098b4231407c5bb0f
URL: http://source.winehq.org/git/wine.git/?a=commit;h=13b65faf4e758439afc5139098b4231407c5bb0f
Author: Thomas Faber <thomas.faber at reactos.org>
Date: Sat Apr 18 12:08:29 2015 +0200
comctl32: Avoid use-after-free in DPA_Merge (DPH).
---
dlls/comctl32/dpa.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/dlls/comctl32/dpa.c b/dlls/comctl32/dpa.c
index 148d3f1..b5b7ff8 100644
--- a/dlls/comctl32/dpa.c
+++ b/dlls/comctl32/dpa.c
@@ -303,16 +303,14 @@ BOOL WINAPI DPA_Merge (HDPA hdpa1, HDPA hdpa2, DWORD dwFlags,
hdpa1->nItemCount, hdpa2->nItemCount);
- /* working but untrusted implementation */
-
- pWork1 = &(hdpa1->ptrs[hdpa1->nItemCount - 1]);
- pWork2 = &(hdpa2->ptrs[hdpa2->nItemCount - 1]);
-
nIndex = hdpa1->nItemCount - 1;
nCount = hdpa2->nItemCount - 1;
do
{
+ pWork1 = &hdpa1->ptrs[nIndex];
+ pWork2 = &hdpa2->ptrs[nCount];
+
if (nIndex < 0) {
if ((nCount >= 0) && (dwFlags & DPAM_UNION)) {
/* Now insert the remaining new items into DPA 1 */
@@ -343,10 +341,8 @@ BOOL WINAPI DPA_Merge (HDPA hdpa1, HDPA hdpa2, DWORD dwFlags,
return FALSE;
nCount--;
- pWork2--;
*pWork1 = ptr;
nIndex--;
- pWork1--;
}
else if (nResult > 0)
{
@@ -361,7 +357,6 @@ BOOL WINAPI DPA_Merge (HDPA hdpa1, HDPA hdpa2, DWORD dwFlags,
(pfnMerge)(DPAMM_DELETE, ptr, NULL, lParam);
}
nIndex--;
- pWork1--;
}
else
{
@@ -377,7 +372,6 @@ BOOL WINAPI DPA_Merge (HDPA hdpa1, HDPA hdpa2, DWORD dwFlags,
DPA_InsertPtr (hdpa1, nIndex+1, ptr);
}
nCount--;
- pWork2--;
}
}
More information about the wine-cvs
mailing list