Module: wine Branch: master Commit: 8713e2ad6497e6eba63a4dd7136d47a80a430815 URL: https://gitlab.winehq.org/wine/wine/-/commit/8713e2ad6497e6eba63a4dd7136d47a...
Author: Gabriel Ivăncescu gabrielopcode@gmail.com Date: Tue Jul 18 20:44:07 2023 +0300
mshtml: Grab the binding while aborting it.
Holding the BindStatusCallback ref is not enough; Abort can end up calling OnStopBinding which intentionally removes the binding and releases its ref. urlmon's Abort will then have a use-after-free when accessing the state to set BINDING_ABORTED, if it was destroyed.
Signed-off-by: Gabriel Ivăncescu gabrielopcode@gmail.com
---
dlls/mshtml/navigate.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/dlls/mshtml/navigate.c b/dlls/mshtml/navigate.c index 4706167875e..112b63ba4b1 100644 --- a/dlls/mshtml/navigate.c +++ b/dlls/mshtml/navigate.c @@ -1993,10 +1993,16 @@ void abort_window_bindings(HTMLInnerWindow *window)
IBindStatusCallback_AddRef(&iter->IBindStatusCallback_iface);
- if(iter->binding) - IBinding_Abort(iter->binding); - else + if(iter->binding) { + IBinding *binding = iter->binding; + + /* Abort can end up calling our OnStopBinding, which releases the binding. */ + IBinding_AddRef(binding); + IBinding_Abort(binding); + IBinding_Release(binding); + }else { iter->vtbl->stop_binding(iter, E_ABORT); + }
iter->window = NULL; list_remove(&iter->entry);
-
Alexandre Julliard