2014-04-17 11:54 GMT+08:00 Nikolay Sivov <bunglehead@gmail.com>: > > What you're doing is a violation of refcount handling. The rule is to release what you got, without relying on internals like that. In this case GetSelection() returns interface pointer and you're responsible in exactly one Release() on it.
> > Interesting thing to test would be to check if GetSelection() returns new instance every time it's called. If this is a case it will justify some code changes to support this, right now patch is wrong.
> > If it actually returns same interface pointer you can't protect from use-after-free because I can grab multiple references with several GetSelection() calls, and when I'll try to release them it will be freed already by a loop like that.
Yes, you are right. GetSelection() will not return a new pointer every time it's called, I have checked it by some tests on Windows.