Zhiyi Zhang : riched20: Fix a use after free.
Alexandre Julliard
julliard at winehq.org
Sun Mar 3 13:21:32 CST 2019
Module: wine
Branch: oldstable
Commit: ceea7138b4d1cec4006e09fc16f43157b144baa3
URL: https://source.winehq.org/git/wine.git/?a=commit;h=ceea7138b4d1cec4006e09fc16f43157b144baa3
Author: Zhiyi Zhang <zzhang at codeweavers.com>
Date: Wed Jan 2 00:03:29 2019 +0800
riched20: Fix a use after free.
In ME_DestroyEditor(), the item list is being freed when
calling get_total_width() in destroy_para().
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=46328
Signed-off-by: Zhiyi Zhang <zzhang at codeweavers.com>
Signed-off-by: Huw Davies <huw at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
(cherry picked from commit 62d80cff6917d6809614885f833358baeb310f20)
Signed-off-by: Michael Stefaniuc <mstefani at winehq.org>
---
dlls/riched20/editor.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c
index daafe80..617a618 100644
--- a/dlls/riched20/editor.c
+++ b/dlls/riched20/editor.c
@@ -3126,13 +3126,13 @@ ME_TextEditor *ME_MakeEditor(ITextHost *texthost, BOOL bEmulateVersion10)
void ME_DestroyEditor(ME_TextEditor *editor)
{
- ME_DisplayItem *pFirst = editor->pBuffer->pFirst;
- ME_DisplayItem *p = pFirst, *pNext = NULL;
+ ME_DisplayItem *p = editor->pBuffer->pFirst, *pNext = NULL;
ME_Style *s, *cursor2;
int i;
ME_ClearTempStyle(editor);
ME_EmptyUndoStack(editor);
+ editor->pBuffer->pFirst = NULL;
while(p) {
pNext = p->next;
ME_DestroyDisplayItem(p);
More information about the wine-cvs
mailing list