Józef Kucia : d3d11: Avoid potential double free in d3d11_device_CreateSamplerState(). - wine-commits

27 Apr 2017

Module: wine
Branch: master
Commit: fb807220c4e81ed9989959998c96cba3d2ea2a61
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=fb807220c4e81ed9989959998c...
Author: Józef Kucia jkucia@codeweavers.com
Date:   Thu Apr 27 12:02:53 2017 +0200
d3d11: Avoid potential double free in d3d11_device_CreateSamplerState().
The parent is owned by the wined3d_sampler object and it is destroyed in
the wined3d_object_destroyed() callback.
Signed-off-by: Józef Kucia jkucia@codeweavers.com
Signed-off-by: Henri Verbeet hverbeet@codeweavers.com
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/d3d11/state.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/dlls/d3d11/state.c b/dlls/d3d11/state.c
index 2b5a2c0..43dd10f 100644
--- a/dlls/d3d11/state.c
+++ b/dlls/d3d11/state.c
@@ -1257,22 +1257,24 @@ HRESULT d3d_sampler_state_init(struct d3d_sampler_state *state, struct d3d_devic
     wined3d_desc.comparison_func = wined3d_cmp_func_from_d3d11(desc->ComparisonFunc);
     wined3d_desc.srgb_decode = TRUE;
-    if (FAILED(hr = wined3d_sampler_create(device->wined3d_device, &wined3d_desc,
-            state, &d3d_sampler_wined3d_parent_ops, &state->wined3d_sampler)))
+    if (wine_rb_put(&device->sampler_states, desc, &state->entry) == -1)
     {
-        WARN("Failed to create wined3d sampler, hr %#x.\n", hr);
+        ERR("Failed to insert sampler state entry.\n");
         wined3d_private_store_cleanup(&state->private_store);
         wined3d_mutex_unlock();
-        return hr;
+        return E_FAIL;
     }
-    if (wine_rb_put(&device->sampler_states, desc, &state->entry) == -1)
+    /* We cannot fail after creating a wined3d_sampler object. It would lead to
+     * double free. */
+    if (FAILED(hr = wined3d_sampler_create(device->wined3d_device, &wined3d_desc,
+            state, &d3d_sampler_wined3d_parent_ops, &state->wined3d_sampler)))
     {
-        ERR("Failed to insert sampler state entry.\n");
-        wined3d_sampler_decref(state->wined3d_sampler);
+        WARN("Failed to create wined3d sampler, hr %#x.\n", hr);
         wined3d_private_store_cleanup(&state->private_store);
+        wine_rb_remove(&device->sampler_states, &state->entry);
         wined3d_mutex_unlock();
-        return E_FAIL;
+        return hr;
     }
     wined3d_mutex_unlock();

    