[patch] segv on use-after-free in dsound/buffer.c

[Yuriy Kaminskiy]

Hello!
   One of games rarely crashed with segv in line 86 of dsound/buffer.c:
85:  IDirectSoundBuffer_Release((LPDIRECTSOUNDBUFFER)This-dsb);
86:  This-dsb-notify = NULL;
   (sorry, I failed to save actual backtrace at the time). This looks 
like typical assign-after-free bug. I've applied attached patch 
(wine-1.1.7, now on 1.1.19), no crashes so far (btw, similar 
*Secodary*Release method down in code uses proper order - 
assign-NULL-then-release).
--- wine-1.1.7/dlls/dsound/buffer.c.orig	2009-03-14 15:28:10.0 +0300
+++ wine-1.1.7/dlls/dsound/buffer.c	2009-04-23 19:50:42.0 +0400
@@ -82,8 +82,8 @@  static ULONG WINAPI IDirectSoundNotifyImpl_Release(
 TRACE((%p) ref was %d\n, This, ref + 1);
 
 if (!ref) {
-IDirectSoundBuffer_Release((LPDIRECTSOUNDBUFFER)This-dsb);
 This-dsb-notify = NULL;
+IDirectSoundBuffer_Release((LPDIRECTSOUNDBUFFER)This-dsb);
 HeapFree(GetProcessHeap(), 0, This);
 TRACE((%p) released\n, This);
 }

Re: [patch] segv on use-after-free in dsound/buffer.c

[Austin English]

2009/5/23 Yuriy Kaminskiy yum...@mail.ru:
 Hello!
   One of games rarely crashed with segv in line 86 of dsound/buffer.c:
 85:      IDirectSoundBuffer_Release((LPDIRECTSOUNDBUFFER)This-dsb);
 86:      This-dsb-notify = NULL;
   (sorry, I failed to save actual backtrace at the time). This looks like
 typical assign-after-free bug. I've applied attached patch (wine-1.1.7, now
 on 1.1.19), no crashes so far (btw, similar *Secodary*Release method down in
 code uses proper order - assign-NULL-then-release).

Please send patches to wine-patc...@winehq.org

Thanks for helping Wine!
-- 
-Austin