https://git.reactos.org/?p=reactos.git;a=commitdiff;h=a06f10d0c0f0c95f2416fb...
commit a06f10d0c0f0c95f2416fba2b73ba578ceb85af7 Author: Mark Jansen mark.jansen@reactos.org AuthorDate: Thu Oct 20 19:51:47 2022 +0200 Commit: Mark Jansen mark.jansen@reactos.org CommitDate: Thu Oct 27 23:45:18 2022 +0200
[BROWSEUI] Fix CAutoComplete use after free
CORE-18395 --- dll/win32/browseui/CAutoComplete.cpp | 16 ++++++++++++---- dll/win32/browseui/CAutoComplete.h | 6 ++++-- 2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/dll/win32/browseui/CAutoComplete.cpp b/dll/win32/browseui/CAutoComplete.cpp index f9929870085..6bb970c87f8 100644 --- a/dll/win32/browseui/CAutoComplete.cpp +++ b/dll/win32/browseui/CAutoComplete.cpp @@ -1,7 +1,7 @@ /* * AutoComplete interfaces implementation. * - * Copyright 2004 Maxime Belleng� maxime.bellenge@laposte.net + * Copyright 2004 Maxime Bellengé maxime.bellenge@laposte.net * Copyright 2009 Andrew Hill * Copyright 2020-2021 Katayama Hirofumi MZ katayama.hirofumi.mz@gmail.com * @@ -1549,7 +1549,7 @@ LRESULT CAutoComplete::OnCreate(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL &b m_hFont = reinterpret_cast<HFONT>(::GetStockObject(DEFAULT_GUI_FONT)); m_hwndList.SetFont(m_hFont);
- // add reference to CAutoComplete::m_hWnd + // add reference so we won't be deleted during message processing AddRef(); return 0; // success } @@ -1575,11 +1575,19 @@ LRESULT CAutoComplete::OnNCDestroy(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL
// clean up m_hwndCombo = NULL; - // remove reference to CAutoComplete::m_hWnd - Release(); + + // Tell ATL to clean up + bHandled = 0; + return 0; }
+VOID CAutoComplete::OnFinalMessage(HWND) +{ + // The message loop is finished, now we can safely destruct! + Release(); +} + // WM_EXITSIZEMOVE // This message is sent once to a window after it has exited the moving or sizing mode. LRESULT CAutoComplete::OnExitSizeMove(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL &bHandled) diff --git a/dll/win32/browseui/CAutoComplete.h b/dll/win32/browseui/CAutoComplete.h index 97d633c5db2..b8370f899a0 100644 --- a/dll/win32/browseui/CAutoComplete.h +++ b/dll/win32/browseui/CAutoComplete.h @@ -1,7 +1,7 @@ /* * AutoComplete interfaces implementation. * - * Copyright 2004 Maxime Belleng� maxime.bellenge@laposte.net + * Copyright 2004 Maxime Bellengé maxime.bellenge@laposte.net * Copyright 2009 Andrew Hill * Copyright 2021 Katayama Hirofumi MZ katayama.hirofumi.mz@gmail.com * @@ -156,9 +156,9 @@ public:
// public methods CAutoComplete(); - HWND CreateDropDown(); virtual ~CAutoComplete();
+ HWND CreateDropDown(); BOOL CanAutoSuggest() const; BOOL CanAutoAppend() const; BOOL UseTab() const; @@ -284,6 +284,8 @@ protected: LRESULT OnAutoCompStart(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL &bHandled); LRESULT OnAutoCompFinish(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL &bHandled);
+ virtual VOID OnFinalMessage(HWND) override; + DECLARE_REGISTRY_RESOURCEID(IDR_AUTOCOMPLETE) DECLARE_NOT_AGGREGATABLE(CAutoComplete) DECLARE_PROTECT_FINAL_CONSTRUCT()