[PATCH] riched20: Fix a use after free.
Zhiyi Zhang
zzhang at codeweavers.com
Tue Jan 1 10:03:29 CST 2019
In ME_DestroyEditor(), the item list is being freed when
calling get_total_width() in destroy_para().
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=46328
Signed-off-by: Zhiyi Zhang <zzhang at codeweavers.com>
---
dlls/riched20/editor.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c
index 9bacc6315d..2bb285866b 100644
--- a/dlls/riched20/editor.c
+++ b/dlls/riched20/editor.c
@@ -3183,13 +3183,13 @@ ME_TextEditor *ME_MakeEditor(ITextHost *texthost, BOOL bEmulateVersion10)
void ME_DestroyEditor(ME_TextEditor *editor)
{
- ME_DisplayItem *pFirst = editor->pBuffer->pFirst;
- ME_DisplayItem *p = pFirst, *pNext = NULL;
+ ME_DisplayItem *p = editor->pBuffer->pFirst, *pNext = NULL;
ME_Style *s, *cursor2;
int i;
ME_ClearTempStyle(editor);
ME_EmptyUndoStack(editor);
+ editor->pBuffer->pFirst = NULL;
while(p) {
pNext = p->next;
if (p->type == diParagraph)
--
2.19.2
More information about the wine-devel
mailing list