[1/5] ntoskrnl.exe: Defer deallocation of in_buff in dispatch_ioctl.
Sebastian Lackner
sebastian at fds-team.de
Sun Oct 16 01:48:55 CDT 2016
Signed-off-by: Sebastian Lackner <sebastian at fds-team.de>
---
Otherwise the caller might try to reuse the released buffer in case of a failure.
dlls/ntoskrnl.exe/ntoskrnl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
index 428e700..3c18ee6 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.c
+++ b/dlls/ntoskrnl.exe/ntoskrnl.c
@@ -417,6 +417,7 @@ static NTSTATUS dispatch_ioctl( const irp_params_t *params, void *in_buff, ULONG
{
IRP *irp;
void *out_buff = NULL;
+ void *to_free = NULL;
DEVICE_OBJECT *device;
FILE_OBJECT *file = wine_server_get_ptr( params->ioctl.file );
@@ -435,7 +436,7 @@ static NTSTATUS dispatch_ioctl( const irp_params_t *params, void *in_buff, ULONG
if ((params->ioctl.code & 3) == METHOD_BUFFERED)
{
memcpy( out_buff, in_buff, in_size );
- HeapFree( GetProcessHeap(), 0, in_buff );
+ to_free = in_buff;
in_buff = out_buff;
}
}
@@ -455,6 +456,7 @@ static NTSTATUS dispatch_ioctl( const irp_params_t *params, void *in_buff, ULONG
irp->Flags |= IRP_DEALLOCATE_BUFFER; /* deallocate in_buff */
dispatch_irp( device, irp, irp_handle );
+ HeapFree( GetProcessHeap(), 0, to_free );
return STATUS_SUCCESS;
}
--
2.9.0
More information about the wine-patches
mailing list