[ros-diffs] [reactos] 01/01: [BROWSEUI] Don't access callers invalid PIDL during browse (#7242)

Tue, 13 Aug 2024 11:58:20 -0700 

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=1061e7f7db44b73711ae7fe05a53cc77e672b861

commit 1061e7f7db44b73711ae7fe05a53cc77e672b861
Author:     Whindmar Saksit <whinds...@proton.me>
AuthorDate: Tue Aug 13 20:57:58 2024 +0200
Commit:     GitHub <nore...@github.com>
CommitDate: Tue Aug 13 20:57:58 2024 +0200

    [BROWSEUI] Don't access callers invalid PIDL during browse (#7242)
    
    The interaction between the shell browser and its address bar causes the 
browser to read from a freed PIDL, sometimes causing a crash.
    
    CORE-19697
---
 dll/win32/browseui/shellbrowser.cpp | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/dll/win32/browseui/shellbrowser.cpp 
b/dll/win32/browseui/shellbrowser.cpp
index 00fbb06e07b..219767387cb 100644
--- a/dll/win32/browseui/shellbrowser.cpp
+++ b/dll/win32/browseui/shellbrowser.cpp
@@ -1034,6 +1034,10 @@ HRESULT CShellBrowser::BrowseToPath(IShellFolder 
*newShellFolder,
     if (FAILED_UNEXPECTEDLY(hResult))
         return hResult;
 
+    if (FAILED_UNEXPECTEDLY(hResult = SHILClone(absolutePIDL, &absolutePIDL)))
+        return hResult;
+    CComHeapPtr<ITEMIDLIST> 
pidlAbsoluteClone(const_cast<LPITEMIDLIST>(absolutePIDL));
+
     // update history
     if (flags & BTP_UPDATE_CUR_HISTORY)
     {
@@ -1078,7 +1082,14 @@ HRESULT CShellBrowser::BrowseToPath(IShellFolder 
*newShellFolder,
 
     // update current pidl
     ILFree(fCurrentDirectoryPIDL);
-    fCurrentDirectoryPIDL = ILClone(absolutePIDL);
+    fCurrentDirectoryPIDL = pidlAbsoluteClone.Detach();
+    /* CORE-19697: CAddressEditBox::OnWinEvent(CBN_SELCHANGE) causes 
CAddressEditBox to
+     * call BrowseObject(pidlLastParsed). As part of our browsing we call 
FireNavigateComplete
+     * and this in turn causes CAddressEditBox::Invoke to 
ILFree(pidlLastParsed)!
+     * We then call SHBindToParent on absolutePIDL (which is really (the now 
invalid) pidlLastParsed) and we
+     * end up accessing invalid memory! We therefore set absolutePIDL to be 
our cloned PIDL here.
+     */
+    absolutePIDL = fCurrentDirectoryPIDL;
 
     // create view window
     hResult = newShellView->CreateViewWindow(saveCurrentShellView, 
folderSettings,

Reply via email to