Module: wine Branch: master Commit: aa963129d98a11c85a1ab4862beb47ee3731bf25 URL: https://gitlab.winehq.org/wine/wine/-/commit/aa963129d98a11c85a1ab4862beb47e...
Author: Yuxuan Shui yshui@codeweavers.com Date: Wed Nov 1 01:55:28 2023 +0000
rtworkq: Avoid use-after-free.
queue_release_pending_item releases the work_item reference but later accesses `item->queue`, which is a potential use-after-free.
---
dlls/rtworkq/queue.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/dlls/rtworkq/queue.c b/dlls/rtworkq/queue.c index eebb096ad31..00b77bf6953 100644 --- a/dlls/rtworkq/queue.c +++ b/dlls/rtworkq/queue.c @@ -734,9 +734,10 @@ static HRESULT invoke_async_callback(IRtwqAsyncResult *result) * removed from pending items when it got canceled. */ static BOOL queue_release_pending_item(struct work_item *item) { + struct queue *queue = item->queue; BOOL ret = FALSE;
- EnterCriticalSection(&item->queue->cs); + EnterCriticalSection(&queue->cs); if (item->key) { list_remove(&item->entry); @@ -744,7 +745,7 @@ static BOOL queue_release_pending_item(struct work_item *item) item->key = 0; IUnknown_Release(&item->IUnknown_iface); } - LeaveCriticalSection(&item->queue->cs); + LeaveCriticalSection(&queue->cs); return ret; }