[Bug 55527] New: urlmon use-after-free when handling HTTP redirect - wine-bugs

5 Sep 2023


      https://bugs.winehq.org/show_bug.cgi?id=55527
Bug ID: 55527
           Summary: urlmon use-after-free when handling HTTP redirect
           Product: Wine
           Version: 8.15
          Hardware: x86-64
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: urlmon
          Assignee: wine-bugs@winehq.org
          Reporter: yshuiv7@gmail.com
      Distribution: ---
In this chain of calls:
HttpProtocol_Continue (urlmon/http.c)
protocol_continue (urlmon/protocol.c)
start_downloading
HttpProtocol_start_downloading (urlmon/http.c)
(assuming status code is redirect, and BINDINFO_OPTIONS_DISABLEAUTOREDIRECTS is
set)
IInternetProtocolSink_ReportResult
ProtocolSinkHandler_ReportResult (urlmon/bindprot.c)
handle_redirect
handle_redirect terminates and releases the `Protocol` object, which
`protocol_continue` is still using, resulting in a use-after-free.
I tried surrounding `start_downloading` with `AddRef/Release` but then I found
there is at least another user of this object in `INTERNET_WorkerThreadFunc`.
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.