[SHELL32]

Avoid double-free and use-after-free in case the FSD fails to register the change directory notification

CORE-13549

svn path=/trunk/; revision=75348

diff --git a/reactos/dll/win32/shell32/wine/changenotify.c b/reactos/dll/win32/shell32/wine/changenotify.c
index 9369379..7846497 100644 (file)
--- a/reactos/dll/win32/shell32/wine/changenotify.c
+++ b/reactos/dll/win32/shell32/wine/changenotify.c
@@ -723,6 +723,20 @@ _NotificationCompletion(DWORD dwErrorCode, // completion code
     }
 #endif
 
+#ifdef __REACTOS__
+    /* This is to avoid double-free and potential use after free
+     * In case it failed, _BeginRead() already deferenced item
+     * But if failure comes the FSD, the APC routine (us) will
+     * be called as well, which will cause a double-free on quit.
+     * Avoid this by deferencing only once in case of failure and thus,
+     * incrementing reference count here
+     */
+    if (dwErrorCode != ERROR_SUCCESS)
+    {
+        InterlockedIncrement(&item->pParent->wQueuedCount);
+    }
+#endif
+
     /* This likely means overflow, so force whole directory refresh. */
     if (!dwNumberOfBytesTransfered)
     {