[PATCH 1/4] d3d9: Fix crash in d3d9_vertexbuffer_Release().
Paul Gofman
gofmanp at gmail.com
Tue Dec 18 10:57:22 CST 2018
If there is no draw buffer then buffer pointer gets freed in
wined3d_buffer_decref() via d3d9_vertexbuffer_wined3d_parent_ops
and consequent check for buffer->draw_buffer results in freed
memory access.
Signed-off-by: Paul Gofman <gofmanp at gmail.com>
---
dlls/d3d9/buffer.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/dlls/d3d9/buffer.c b/dlls/d3d9/buffer.c
index 1533a8496d..7e178f278f 100644
--- a/dlls/d3d9/buffer.c
+++ b/dlls/d3d9/buffer.c
@@ -76,12 +76,13 @@ static ULONG WINAPI d3d9_vertexbuffer_Release(IDirect3DVertexBuffer9 *iface)
if (!refcount)
{
+ struct wined3d_buffer *draw_buffer = buffer->draw_buffer;
IDirect3DDevice9Ex *device = buffer->parent_device;
wined3d_mutex_lock();
wined3d_buffer_decref(buffer->wined3d_buffer);
- if (buffer->draw_buffer)
- wined3d_buffer_decref(buffer->draw_buffer);
+ if (draw_buffer)
+ wined3d_buffer_decref(draw_buffer);
wined3d_mutex_unlock();
/* Release the device last, as it may cause the device to be destroyed. */
--
2.19.2
More information about the wine-devel
mailing list