[PATCH] gdi32: Fix double-free on repeated calls to Delete[Enh]MetaFile.
21 Jul
21 Jul
2:13 p.m.
Hi Daniel, On 7/21/21 1:53 AM, Daniel Lehman wrote:
diff --git a/dlls/gdi32/gdiobj.c b/dlls/gdi32/gdiobj.c index 9059f817636..f56b8891d84 100644 --- a/dlls/gdi32/gdiobj.c +++ b/dlls/gdi32/gdiobj.c @@ -916,6 +916,7 @@ BOOL WINAPI NtGdiDeleteObjectApp( HGDIOBJ obj ) return TRUE; }
+ entry->UserPointer = 0; obj = entry_to_handle( entry ); /* make it a full handle */
hdcs_head = header->hdcs;
The idea is that NtGdiDeleteClientObj should fail for the second attempt to delete metafiles. Looking at why it's not failing, I think we should just call free_gdi_handle there. What do you think about the attached fix? Thanks, Jacek
1612
Age (days ago)
1613
Last active (days ago)
2 comments
2 participants
participants (2)
-
Daniel Lehman -
Jacek Caban