Paul Gofman : d3d9: Fix crash in d3d9_vertexbuffer_Release().
Alexandre Julliard
julliard at winehq.org
Thu Dec 20 14:25:28 CST 2018
Module: wine
Branch: master
Commit: e6c6be1cf75db1cf58f39d170ab6a7f3d7bc5663
URL: https://source.winehq.org/git/wine.git/?a=commit;h=e6c6be1cf75db1cf58f39d170ab6a7f3d7bc5663
Author: Paul Gofman <gofmanp at gmail.com>
Date: Tue Dec 18 19:57:22 2018 +0300
d3d9: Fix crash in d3d9_vertexbuffer_Release().
If there is no draw buffer then buffer pointer gets freed in
wined3d_buffer_decref() via d3d9_vertexbuffer_wined3d_parent_ops
and consequent check for buffer->draw_buffer results in freed
memory access.
Signed-off-by: Paul Gofman <gofmanp at gmail.com>
Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/d3d9/buffer.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/dlls/d3d9/buffer.c b/dlls/d3d9/buffer.c
index 1533a84..7e178f2 100644
--- a/dlls/d3d9/buffer.c
+++ b/dlls/d3d9/buffer.c
@@ -76,12 +76,13 @@ static ULONG WINAPI d3d9_vertexbuffer_Release(IDirect3DVertexBuffer9 *iface)
if (!refcount)
{
+ struct wined3d_buffer *draw_buffer = buffer->draw_buffer;
IDirect3DDevice9Ex *device = buffer->parent_device;
wined3d_mutex_lock();
wined3d_buffer_decref(buffer->wined3d_buffer);
- if (buffer->draw_buffer)
- wined3d_buffer_decref(buffer->draw_buffer);
+ if (draw_buffer)
+ wined3d_buffer_decref(draw_buffer);
wined3d_mutex_unlock();
/* Release the device last, as it may cause the device to be destroyed. */
More information about the wine-cvs
mailing list