From: Gabriel Ivăncescu <gabrielopcode(a)gmail.com> Holding the BindStatusCallback ref is not enough; Abort can end up calling OnStopBinding which intentionally removes the binding and releases its ref. urlmon's Abort will then have a use-after-free when accessing the state to set BINDING_ABORTED, if it was destroyed. Signed-off-by: Gabriel Ivăncescu <gabrielopcode(a)gmail.com> --- dlls/mshtml/navigate.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/dlls/mshtml/navigate.c b/dlls/mshtml/navigate.c index 4706167875e..112b63ba4b1 100644 --- a/dlls/mshtml/navigate.c +++ b/dlls/mshtml/navigate.c @@ -1993,10 +1993,16 @@ void abort_window_bindings(HTMLInnerWindow *window) IBindStatusCallback_AddRef(&iter->IBindStatusCallback_iface); - if(iter->binding) - IBinding_Abort(iter->binding); - else + if(iter->binding) { + IBinding *binding = iter->binding; + + /* Abort can end up calling our OnStopBinding, which releases the binding. */ + IBinding_AddRef(binding); + IBinding_Abort(binding); + IBinding_Release(binding); + }else { iter->vtbl->stop_binding(iter, E_ABORT); + } iter->window = NULL; list_remove(&iter->entry); -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/3354