From: Yuxuan Shui yshui@codeweavers.com
If devpropcompkeys_append_names fails after the realloc, *ret_keys will contain a dangling pointer. But both of its callers assume it's safe to call free on *ret_keys when devpropcompkeys_append_names fails, resulting in double freeing. --- dlls/windows.devices.enumeration/main.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/dlls/windows.devices.enumeration/main.c b/dlls/windows.devices.enumeration/main.c index 37db9e53f24..6a4505c9649 100644 --- a/dlls/windows.devices.enumeration/main.c +++ b/dlls/windows.devices.enumeration/main.c @@ -510,6 +510,8 @@ static HRESULT WINAPI devpropcompkeys_append_names( DEVPROPCOMPKEY **ret_keys, U
if (FAILED(hr = count_iterable( names_iterable, &count ))) return hr; if (!(keys = realloc( *ret_keys, (keys_len + count) * sizeof( *keys ) ))) return E_OUTOFMEMORY; + *ret_keys = NULL; + *ret_keys_len = 0;
if (FAILED(hr = IIterable_HSTRING_First( names_iterable, &names ))) return hr; for (hr = IIterator_HSTRING_get_HasCurrent( names, &valid ); SUCCEEDED( hr ) && valid; hr = IIterator_HSTRING_MoveNext( names, &valid ))