[PATCH 0/1] MR11060: ddraw/tests: Remove extra backbuffer1 release in test_surface_attachment().
From: Paul Gofman <pgofman@codeweavers.com> --- dlls/ddraw/tests/ddraw1.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dlls/ddraw/tests/ddraw1.c b/dlls/ddraw/tests/ddraw1.c index 9ddb58b1bbb..b3a21c5010b 100644 --- a/dlls/ddraw/tests/ddraw1.c +++ b/dlls/ddraw/tests/ddraw1.c @@ -6507,8 +6507,7 @@ static void test_surface_attachment(void) ref = IDirectDrawSurface_Release(backbuffer1); ref = IDirectDrawSurface_Release(surface1); ok(!ref, "got %ld.\n", ref); - ref = IDirectDrawSurface_Release(backbuffer1); - ok(!ref, "got %ld.\n", ref); + /* backbuffer1 is auto-generated attachemnt for surface1 and is supposed to be released during surface1 destruction. */ ref = IDirectDrawSurface_Release(backbuffer2); ok(!ref, "got %ld.\n", ref); ref = IDirectDrawSurface_Release(surface2); -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/11060
That fixes use after free spotted here: https://gitlab.winehq.org/wine/wine/-/merge_requests/10992#note_142086 I checked on Windows with heap debug flags but on Windows this implicit backbuffer1 surface interface seems to be not possible to free at all after this test. While refcount is 0 interface is refusing to go away. That maybe has something to do with spurious refcount increase on chain start after deleting the tail element from chain (maybe there are additional inner references which don't go away after zeroing external refcount). Since this only happens in the extreme corner case unlikely used in practice (which I added to tests only in attempt to find generic logic in attachment behaviour) I guess we might not be concerned with this difference in implementation. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/11060#note_142115
This merge request was approved by Elizabeth Figura. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/11060
participants (3)
-
Elizabeth Figura (@zfigura) -
Paul Gofman
-
Paul Gofman (@gofman)