Module: wine Branch: master Commit: 13b65faf4e758439afc5139098b4231407c5bb0f URL: http://source.winehq.org/git/wine.git/?a=commit;h=13b65faf4e758439afc5139098...
Author: Thomas Faber thomas.faber@reactos.org Date: Sat Apr 18 12:08:29 2015 +0200
comctl32: Avoid use-after-free in DPA_Merge (DPH).
---
dlls/comctl32/dpa.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/dlls/comctl32/dpa.c b/dlls/comctl32/dpa.c index 148d3f1..b5b7ff8 100644 --- a/dlls/comctl32/dpa.c +++ b/dlls/comctl32/dpa.c @@ -303,16 +303,14 @@ BOOL WINAPI DPA_Merge (HDPA hdpa1, HDPA hdpa2, DWORD dwFlags, hdpa1->nItemCount, hdpa2->nItemCount);
- /* working but untrusted implementation */ - - pWork1 = &(hdpa1->ptrs[hdpa1->nItemCount - 1]); - pWork2 = &(hdpa2->ptrs[hdpa2->nItemCount - 1]); - nIndex = hdpa1->nItemCount - 1; nCount = hdpa2->nItemCount - 1;
do { + pWork1 = &hdpa1->ptrs[nIndex]; + pWork2 = &hdpa2->ptrs[nCount]; + if (nIndex < 0) { if ((nCount >= 0) && (dwFlags & DPAM_UNION)) { /* Now insert the remaining new items into DPA 1 */ @@ -343,10 +341,8 @@ BOOL WINAPI DPA_Merge (HDPA hdpa1, HDPA hdpa2, DWORD dwFlags, return FALSE;
nCount--; - pWork2--; *pWork1 = ptr; nIndex--; - pWork1--; } else if (nResult > 0) { @@ -361,7 +357,6 @@ BOOL WINAPI DPA_Merge (HDPA hdpa1, HDPA hdpa2, DWORD dwFlags, (pfnMerge)(DPAMM_DELETE, ptr, NULL, lParam); } nIndex--; - pWork1--; } else { @@ -377,7 +372,6 @@ BOOL WINAPI DPA_Merge (HDPA hdpa1, HDPA hdpa2, DWORD dwFlags, DPA_InsertPtr (hdpa1, nIndex+1, ptr); } nCount--; - pWork2--; }
}