From: Bernhard Übelacker bernhardu@mailbox.org
If this realloc is reached and cur is zero, the realloc is called with a size of zero, which behaves like a free. And returns NULL, because of which the fail: label is reached, where the memory, strs is still pointing to, is freed the second time. --- dlls/shell32/autocomplete.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/shell32/autocomplete.c b/dlls/shell32/autocomplete.c index d027722cd50..e39e3662d48 100644 --- a/dlls/shell32/autocomplete.c +++ b/dlls/shell32/autocomplete.c @@ -228,7 +228,7 @@ static void enumerate_strings(IAutoCompleteImpl *ac, enum prefix_filtering pfx_f } while (str_read);
/* Allocate even if there were zero strings enumerated, to mark it non-NULL */ - if ((tmp = realloc(strs, cur * sizeof(*strs)))) + if ((tmp = realloc(strs, max(cur, 1) * sizeof(*strs)))) { strs = tmp; if (cur > 0)