vbscript: Fix possible memory leak/crash caused by race condition in VBScriptParse_InitNew.

Wed Aug 31 21:23:12 CDT 2011

--
InterlockedCompareExchangePointer always returns the old address of the
pointer. If This->ctx becomes non-null after the initial check, but before
the atomic operation, the newly allocated ctx will be leaked. Moreover,
the old ctx will be freed and This->ctx would point to the just freed
memory, which is now invalid. Destroying the object now would crash.

---
 dlls/vbscript/vbscript.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dlls/vbscript/vbscript.c b/dlls/vbscript/vbscript.c
index 084337f..caee4d4 100644
--- a/dlls/vbscript/vbscript.c
+++ b/dlls/vbscript/vbscript.c
@@ -348,7 +348,7 @@ static ULONG WINAPI VBScriptParse_Release(IActiveScriptParse *iface)
 static HRESULT WINAPI VBScriptParse_InitNew(IActiveScriptParse *iface)
 {
     VBScript *This = impl_from_IActiveScriptParse(iface);
-    script_ctx_t *ctx;
+    script_ctx_t *ctx, *old_ctx;
 
     TRACE("(%p)\n", This);
 
@@ -359,8 +359,8 @@ static HRESULT WINAPI VBScriptParse_InitNew(IActiveScriptParse *iface)
     if(!ctx)
         return E_OUTOFMEMORY;
 
-    ctx = InterlockedCompareExchangePointer((void**)&This->ctx, ctx, NULL);
-    if(ctx) {
+    old_ctx = InterlockedCompareExchangePointer((void**)&This->ctx, ctx, NULL);
+    if(old_ctx) {
         destroy_script(ctx);
         return E_UNEXPECTED;
     }
-- 
1.7.4.1


