Pending block may be LFH block and freeing it with heap_free_block() crashes.
From: Paul Gofman pgofman@codeweavers.com
--- dlls/ntdll/heap.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/dlls/ntdll/heap.c b/dlls/ntdll/heap.c index 7547ac50f61..d8dab867ff5 100644 --- a/dlls/ntdll/heap.c +++ b/dlls/ntdll/heap.c @@ -326,6 +326,8 @@ C_ASSERT( offsetof(struct heap, subheap) <= REGION_ALIGN - 1 );
static struct heap *process_heap; /* main process heap */
+static NTSTATUS heap_free_block_lfh( struct heap *heap, ULONG flags, struct block *block ); + /* check if memory range a contains memory range b */ static inline BOOL contains( const void *a, SIZE_T a_size, const void *b, SIZE_T b_size ) { @@ -1640,7 +1642,10 @@ HANDLE WINAPI RtlDestroyHeap( HANDLE handle ) { heap->pending_free = NULL; for (tmp = pending; *tmp && tmp != pending + MAX_FREE_PENDING; ++tmp) + { + if (!heap_free_block_lfh( heap, heap->flags, *tmp )) continue; heap_free_block( heap, heap->flags, *tmp ); + } RtlFreeHeap( handle, 0, pending ); }
This merge request was approved by Rémi Bernon.
-
Paul Gofman -
Paul Gofman (@gofman)
-
Rémi Bernon (@rbernon)