[PATCH v2 1/3] rtworkq: Avoid use-after-free.

1 Nov 2023

From: Yuxuan Shui yshui@codeweavers.com
queue_release_pending_item releases the work_item reference but later accesses `item->queue`, which
is a potential use-after-free.
---
 dlls/rtworkq/queue.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlls/rtworkq/queue.c b/dlls/rtworkq/queue.c
index 15b8da47639..0242cd0d61b 100644
--- a/dlls/rtworkq/queue.c
+++ b/dlls/rtworkq/queue.c
@@ -737,9 +737,9 @@ static void queue_release_pending_item(struct work_item *item)
     {
         list_remove(&item->entry);
         item->key = 0;
-        IUnknown_Release(&item->IUnknown_iface);
     }
     LeaveCriticalSection(&item->queue->cs);
+    IUnknown_Release(&item->IUnknown_iface);
 }
static void CALLBACK waiting_item_callback(TP_CALLBACK_INSTANCE *instance, void *context, TP_WAIT *wait,
-- 
GitLab


https://gitlab.winehq.org/wine/wine/-/merge_requests/4243

    

2025

2024

2023

2022

[PATCH v2 1/3] rtworkq: Avoid use-after-free.