[PATCH 10/11] d3d11: Avoid potential double free in d3d11_device_CreateSamplerState().
Józef Kucia
jkucia at codeweavers.com
Thu Apr 27 05:02:53 CDT 2017
The parent is owned by the wined3d_sampler object and it is destroyed in
the wined3d_object_destroyed() callback.
Signed-off-by: Józef Kucia <jkucia at codeweavers.com>
---
dlls/d3d11/state.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/dlls/d3d11/state.c b/dlls/d3d11/state.c
index 2b5a2c0..43dd10f 100644
--- a/dlls/d3d11/state.c
+++ b/dlls/d3d11/state.c
@@ -1257,22 +1257,24 @@ HRESULT d3d_sampler_state_init(struct d3d_sampler_state *state, struct d3d_devic
wined3d_desc.comparison_func = wined3d_cmp_func_from_d3d11(desc->ComparisonFunc);
wined3d_desc.srgb_decode = TRUE;
- if (FAILED(hr = wined3d_sampler_create(device->wined3d_device, &wined3d_desc,
- state, &d3d_sampler_wined3d_parent_ops, &state->wined3d_sampler)))
+ if (wine_rb_put(&device->sampler_states, desc, &state->entry) == -1)
{
- WARN("Failed to create wined3d sampler, hr %#x.\n", hr);
+ ERR("Failed to insert sampler state entry.\n");
wined3d_private_store_cleanup(&state->private_store);
wined3d_mutex_unlock();
- return hr;
+ return E_FAIL;
}
- if (wine_rb_put(&device->sampler_states, desc, &state->entry) == -1)
+ /* We cannot fail after creating a wined3d_sampler object. It would lead to
+ * double free. */
+ if (FAILED(hr = wined3d_sampler_create(device->wined3d_device, &wined3d_desc,
+ state, &d3d_sampler_wined3d_parent_ops, &state->wined3d_sampler)))
{
- ERR("Failed to insert sampler state entry.\n");
- wined3d_sampler_decref(state->wined3d_sampler);
+ WARN("Failed to create wined3d sampler, hr %#x.\n", hr);
wined3d_private_store_cleanup(&state->private_store);
+ wine_rb_remove(&device->sampler_states, &state->entry);
wined3d_mutex_unlock();
- return E_FAIL;
+ return hr;
}
wined3d_mutex_unlock();
--
2.10.2
More information about the wine-patches
mailing list