[PATCH 1/1] ole32: Fix a possible use-after-free (Coverity).

2 Jan 2024

From: Zhiyi Zhang zzhang@codeweavers.com
moniker_tree_get_rightmost(root) can return the same pointer as the root parameter so node can
equal to root. moniker_tree_discard(node) frees node, which could be same as root. Then
moniker_create_from_tree(root) could access the already freed pointer.
---
 dlls/ole32/compositemoniker.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dlls/ole32/compositemoniker.c b/dlls/ole32/compositemoniker.c
index d322604adce..bbdf8975f38 100644
--- a/dlls/ole32/compositemoniker.c
+++ b/dlls/ole32/compositemoniker.c
@@ -1632,7 +1632,8 @@ static HRESULT composite_get_rightmost(CompositeMonikerImpl *composite, IMoniker
*rightmost = node->moniker;
     IMoniker_AddRef(*rightmost);
-    moniker_tree_discard(node, TRUE);
+    if (node != root)
+        moniker_tree_discard(node, TRUE);
hr = moniker_create_from_tree(root, &count, left);
     moniker_tree_release(root);
-- 
GitLab

https://gitlab.winehq.org/wine/wine/-/merge_requests/4768

    

2025

2024

2023

2022

[PATCH 1/1] ole32: Fix a possible use-after-free (Coverity).