https://bugs.winehq.org/show_bug.cgi?id=55527 Bug ID: 55527 Summary: urlmon use-after-free when handling HTTP redirect Product: Wine Version: 8.15 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: urlmon Assignee: wine-bugs(a)winehq.org Reporter: yshuiv7(a)gmail.com Distribution: --- In this chain of calls: HttpProtocol_Continue (urlmon/http.c) protocol_continue (urlmon/protocol.c) start_downloading HttpProtocol_start_downloading (urlmon/http.c) (assuming status code is redirect, and BINDINFO_OPTIONS_DISABLEAUTOREDIRECTS is set) IInternetProtocolSink_ReportResult ProtocolSinkHandler_ReportResult (urlmon/bindprot.c) handle_redirect handle_redirect terminates and releases the `Protocol` object, which `protocol_continue` is still using, resulting in a use-after-free. I tried surrounding `start_downloading` with `AddRef/Release` but then I found there is at least another user of this object in `INTERNET_WorkerThreadFunc`. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.