From c4689f7e1dc86ff1305b9e0af546f4a33138250a Mon Sep 17 00:00:00 2001 From: Pierre Schweitzer Date: Sat, 15 Jul 2017 07:45:28 +0000 Subject: [PATCH] [SHELL32] Avoid double-free and use-after-free in case the FSD fails to register the change directory notification CORE-13549 svn path=/trunk/; revision=75348 --- reactos/dll/win32/shell32/wine/changenotify.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/reactos/dll/win32/shell32/wine/changenotify.c b/reactos/dll/win32/shell32/wine/changenotify.c index 936937900f8..7846497184a 100644 --- a/reactos/dll/win32/shell32/wine/changenotify.c +++ b/reactos/dll/win32/shell32/wine/changenotify.c @@ -723,6 +723,20 @@ _NotificationCompletion(DWORD dwErrorCode, // completion code } #endif +#ifdef __REACTOS__ + /* This is to avoid double-free and potential use after free + * In case it failed, _BeginRead() already deferenced item + * But if failure comes the FSD, the APC routine (us) will + * be called as well, which will cause a double-free on quit. + * Avoid this by deferencing only once in case of failure and thus, + * incrementing reference count here + */ + if (dwErrorCode != ERROR_SUCCESS) + { + InterlockedIncrement(&item->pParent->wQueuedCount); + } +#endif + /* This likely means overflow, so force whole directory refresh. */ if (!dwNumberOfBytesTransfered) { -- 2.17.1