[PATCH] user32: fixed two use-after-free (Coverity)
Marcus Meissner
marcus at jet.franken.de
Fri Aug 17 14:31:34 CDT 2012
cid 714105
pXAct would be freed when pXAct->Next is accessed, so do it
before.
Ciao, Marcus
---
dlls/user32/dde_client.c | 15 +++++++++++----
1 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/dlls/user32/dde_client.c b/dlls/user32/dde_client.c
index ef3ee3f..61fb732 100644
--- a/dlls/user32/dde_client.c
+++ b/dlls/user32/dde_client.c
@@ -1246,14 +1246,18 @@ BOOL WINAPI DdeAbandonTransaction(DWORD idInst, HCONV hConv, DWORD idTransaction
{
if ((pConv = WDML_GetConv(hConv, TRUE)) && pConv->instance == pInstance)
{
- for (pXAct = pConv->transactions; pXAct; pXAct = pXAct->next)
- {
+
+ pXAct = pConv->transactions;
+ while (pXAct) {
+ WDML_XACT *nextXAct = pXAct->next;
+
if (pXAct->dwTimeout == TIMEOUT_ASYNC &&
(idTransaction == 0 || pXAct->xActID == idTransaction))
{
WDML_UnQueueTransaction(pConv, pXAct);
WDML_FreeTransaction(pInstance, pXAct, TRUE);
}
+ pXAct = nextXAct;
}
}
}
@@ -1262,13 +1266,16 @@ BOOL WINAPI DdeAbandonTransaction(DWORD idInst, HCONV hConv, DWORD idTransaction
for (pConv = pInstance->convs[WDML_CLIENT_SIDE]; pConv; pConv = pConv->next)
{
if (!(pConv->wStatus & ST_CONNECTED)) continue;
- for (pXAct = pConv->transactions; pXAct; pXAct = pXAct->next)
- {
+ pXAct = pConv->transactions;
+ while (pXAct) {
+ WDML_XACT *nextXAct = pXAct->next;
+
if (pXAct->dwTimeout == TIMEOUT_ASYNC)
{
WDML_UnQueueTransaction(pConv, pXAct);
WDML_FreeTransaction(pInstance, pXAct, TRUE);
}
+ pXAct = nextXAct;
}
}
}
--
1.7.3.4
More information about the wine-patches
mailing list