[PATCH 0/1] MR9405: dsound: Avoid use after free in DSOUND_WaveFormat (ASan).
Contents of `mixwfe` is copied into `wfe` and `mixwfe` is freed by `CoTaskMemFree`. But then `mixwfe` is used again. This patch uses the values from `wfe`. [This is a testbot run with this patch](https://testbot.winehq.org/JobDetails.pl?Key=160647) [ASan details found by gitlab-CI](https://gitlab.winehq.org/bernhardu/wine/-/jobs/205270#L530) -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9405
From: Bernhard Übelacker <bernhardu(a)mailbox.org> --- dlls/dsound/primary.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dlls/dsound/primary.c b/dlls/dsound/primary.c index 9a5557f2c83..04e66ec6461 100644 --- a/dlls/dsound/primary.c +++ b/dlls/dsound/primary.c @@ -128,9 +128,9 @@ static HRESULT DSOUND_WaveFormat(DirectSoundDevice *device, IAudioClient *client wfe.Samples.wValidBitsPerSample = wfe.Format.wBitsPerSample = 32; if (wfe.Format.nChannels < device->num_speakers) { - device->speaker_config = DSOUND_FindSpeakerConfig(device->mmdevice, mixwfe->Format.nChannels); + device->speaker_config = DSOUND_FindSpeakerConfig(device->mmdevice, wfe.Format.nChannels); DSOUND_ParseSpeakerConfig(device); - } else if (mixwfe->Format.nChannels > device->num_speakers) { + } else if (wfe.Format.nChannels > device->num_speakers) { wfe.Format.nChannels = device->num_speakers; wfe.dwChannelMask = speaker_config_to_channel_mask(device->speaker_config); } -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/9405
Yeah, I missed those two references. Thanks for catching this! -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9405#note_121860
This merge request was approved by Giovanni Mascellani. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9405
This merge request was approved by Huw Davies. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9405
participants (3)
-
Bernhard Übelacker -
Giovanni Mascellani (@giomasce)
-
Huw Davies (@huw)