Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=52423
Signed-off-by: Konstantin Romanov incubusrk@gmail.com --- dlls/gdiplus/gdiplus.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/dlls/gdiplus/gdiplus.c b/dlls/gdiplus/gdiplus.c index 7c4c68f162f..7b0592c184c 100644 --- a/dlls/gdiplus/gdiplus.c +++ b/dlls/gdiplus/gdiplus.c @@ -473,10 +473,14 @@ void delete_element(region_element* element) case RegionDataInfiniteRect: break; default: - delete_element(element->elementdata.combine.left); - delete_element(element->elementdata.combine.right); - heap_free(element->elementdata.combine.left); - heap_free(element->elementdata.combine.right); + if(element->elementdata.combine.left){ + delete_element(element->elementdata.combine.left); + heap_free(element->elementdata.combine.left); + } + if(element->elementdata.combine.right){ + delete_element(element->elementdata.combine.right); + heap_free(element->elementdata.combine.right); + } break; } }
Please add a test case for this, that replicates crashing call sequence.
It looks to me like the error path of clone_element could cause this, but that's not something we can really test.
On Thu, Jan 20, 2022 at 5:05 AM Nikolay Sivov nsivov@codeweavers.com wrote:
Please add a test case for this, that replicates crashing call sequence.
It looks to me like the error path of clone_element could cause this, but that's not something we can really test.
That wouldn't cause a crash in GdipDeleteRegion like the log on the bug shows, so I guess it's not that.