[PATCH v4 1/3] rtworkq: Avoid use-after-free.

1 Nov 2023

From: Yuxuan Shui yshui@codeweavers.com
queue_release_pending_item releases the work_item reference but later accesses `item->queue`, which
is a potential use-after-free.
---
 dlls/rtworkq/queue.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/dlls/rtworkq/queue.c b/dlls/rtworkq/queue.c
index 15b8da47639..03a7c1ce8bb 100644
--- a/dlls/rtworkq/queue.c
+++ b/dlls/rtworkq/queue.c
@@ -732,14 +732,16 @@ static HRESULT invoke_async_callback(IRtwqAsyncResult *result)
static void queue_release_pending_item(struct work_item *item)
 {
-    EnterCriticalSection(&item->queue->cs);
+    struct queue *queue = item->queue;
+    EnterCriticalSection(&queue->cs);
     if (item->key)
     {
         list_remove(&item->entry);
         item->key = 0;
         IUnknown_Release(&item->IUnknown_iface);
     }
-    LeaveCriticalSection(&item->queue->cs);
+    LeaveCriticalSection(&queue->cs);
+
 }
static void CALLBACK waiting_item_callback(TP_CALLBACK_INSTANCE *instance, void *context, TP_WAIT *wait,
-- 
GitLab


https://gitlab.winehq.org/wine/wine/-/merge_requests/4243

    

2025

2024

2023

2022

[PATCH v4 1/3] rtworkq: Avoid use-after-free.