Zhiyi Zhang : riched20: Fix a use after free. - wine-commits

2 Jan 2019

Module: wine
Branch: master
Commit: 62d80cff6917d6809614885f833358baeb310f20
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=62d80cff6917d6809614885f8...
Author: Zhiyi Zhang zzhang@codeweavers.com
Date:   Wed Jan  2 00:03:29 2019 +0800
riched20: Fix a use after free.
In ME_DestroyEditor(), the item list is being freed when
calling get_total_width() in destroy_para().
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=46328
Signed-off-by: Zhiyi Zhang zzhang@codeweavers.com
Signed-off-by: Huw Davies huw@codeweavers.com
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/riched20/editor.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c
index 9bacc63..2bb2858 100644
--- a/dlls/riched20/editor.c
+++ b/dlls/riched20/editor.c
@@ -3183,13 +3183,13 @@ ME_TextEditor *ME_MakeEditor(ITextHost *texthost, BOOL bEmulateVersion10)
void ME_DestroyEditor(ME_TextEditor *editor)
 {
-  ME_DisplayItem *pFirst = editor->pBuffer->pFirst;
-  ME_DisplayItem *p = pFirst, *pNext = NULL;
+  ME_DisplayItem *p = editor->pBuffer->pFirst, *pNext = NULL;
   ME_Style *s, *cursor2;
   int i;
ME_ClearTempStyle(editor);
   ME_EmptyUndoStack(editor);
+  editor->pBuffer->pFirst = NULL;
   while(p) {
     pNext = p->next;
     if (p->type == diParagraph)

    