[ros-diffs] [reactos] 01/01: [SHELL32] CDefView: Prevent use after free

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=f0bee6c4bc20d74999281… commit f0bee6c4bc20d74999281a5fa26cc94549256b22 Author: Mark Jansen &lt;mark.jansen(a)reactos.org&gt; AuthorDate: Wed May 26 22:57:43 2021 +0200 Commit: Mark Jansen &lt;mark.jansen(a)reactos.org&gt; CommitDate: Wed May 26 22:57:43 2021 +0200 [SHELL32] CDefView: Prevent use after free While updating the item, the LVIF_STATE would be requested, for which the old lParam would be accessed. --- dll/win32/shell32/CDefView.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/dll/win32/shell32/CDefView.cpp b/dll/win32/shell32/CDefView.cpp index b3ed556acf4..50471196d31 100644 --- a/dll/win32/shell32/CDefView.cpp +++ b/dll/win32/shell32/CDefView.cpp @@ -861,7 +861,8 @@ BOOLEAN CDefView::LV_RenameItem(PCUITEMID_CHILD pidlOld, PCUITEMID_CHILD pidlNew lvItem.iSubItem = 0; m_ListView.GetItem(&lvItem); - SHFree(reinterpret_cast<LPVOID>(lvItem.lParam)); + LPVOID oldPidl = reinterpret_cast<LPVOID>(lvItem.lParam); /* Store the old pidl until the new item is replaced */ + lvItem.mask = LVIF_PARAM | LVIF_IMAGE | LVIF_TEXT; lvItem.iItem = nItem; lvItem.iSubItem = 0; @@ -870,6 +871,9 @@ BOOLEAN CDefView::LV_RenameItem(PCUITEMID_CHILD pidlOld, PCUITEMID_CHILD pidlNew lvItem.iImage = SHMapPIDLToSystemImageListIndex(m_pSFParent, pidlNew, 0); m_ListView.SetItem(&lvItem); m_ListView.Update(nItem); + + SHFree(oldPidl); /* Now that the new item is in place, we can safely release the old pidl */ + return TRUE; /* FIXME: better handling */ }