vbscript: Fix possible memory leak/crash caused by race condition in VBScriptParse_InitNew.
Octavian Voicu
octavian.voicu at gmail.com
Wed Aug 31 21:23:12 CDT 2011
--
InterlockedCompareExchangePointer always returns the old address of the
pointer. If This->ctx becomes non-null after the initial check, but before
the atomic operation, the newly allocated ctx will be leaked. Moreover,
the old ctx will be freed and This->ctx would point to the just freed
memory, which is now invalid. Destroying the object now would crash.
---
dlls/vbscript/vbscript.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/dlls/vbscript/vbscript.c b/dlls/vbscript/vbscript.c
index 084337f..caee4d4 100644
--- a/dlls/vbscript/vbscript.c
+++ b/dlls/vbscript/vbscript.c
@@ -348,7 +348,7 @@ static ULONG WINAPI VBScriptParse_Release(IActiveScriptParse *iface)
static HRESULT WINAPI VBScriptParse_InitNew(IActiveScriptParse *iface)
{
VBScript *This = impl_from_IActiveScriptParse(iface);
- script_ctx_t *ctx;
+ script_ctx_t *ctx, *old_ctx;
TRACE("(%p)\n", This);
@@ -359,8 +359,8 @@ static HRESULT WINAPI VBScriptParse_InitNew(IActiveScriptParse *iface)
if(!ctx)
return E_OUTOFMEMORY;
- ctx = InterlockedCompareExchangePointer((void**)&This->ctx, ctx, NULL);
- if(ctx) {
+ old_ctx = InterlockedCompareExchangePointer((void**)&This->ctx, ctx, NULL);
+ if(old_ctx) {
destroy_script(ctx);
return E_UNEXPECTED;
}
--
1.7.4.1
More information about the wine-patches
mailing list