From: Yuxuan Shui <yshui@codeweavers.com> Though WaitForSingleObject timed out, the IO operation is still running in the background. After the function process_send_command returns, the OVERLAPPED object referenced by this IO operation becomes invalid. Later, when this IO finally completes, server_select will use invalid stack memory. --- programs/services/rpc.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/programs/services/rpc.c b/programs/services/rpc.c index 1f36b783765..a5bfe3cc603 100644 --- a/programs/services/rpc.c +++ b/programs/services/rpc.c @@ -1200,16 +1200,22 @@ static BOOL process_send_command(struct process_entry *process, const void *data if (ret == WAIT_TIMEOUT) { WINE_ERR("receiving command result timed out\n"); - *result = ERROR_SERVICE_REQUEST_TIMEOUT; - return FALSE; + if (!CancelIoEx(process->control_pipe, &overlapped)) + WINE_ERR("Failed to cancel IO, %#lx\n", GetLastError()); } r = GetOverlappedResult(process->control_pipe, &overlapped, &count, FALSE); } if (!r || count != sizeof *result) { - WINE_ERR("service protocol error - failed to read pipe " - "r = %d count = %ld!\n", r, count); - *result = (!r ? GetLastError() : ERROR_READ_FAULT); + DWORD error = GetLastError(); + if (error == ERROR_OPERATION_ABORTED) + *result = ERROR_SERVICE_REQUEST_TIMEOUT; + else + { + WINE_ERR("service protocol error - failed to read pipe " + "r = %d count = %ld!\n", r, count); + *result = (!r ? GetLastError() : ERROR_READ_FAULT); + } return FALSE; } -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/10424