[ros-diffs] [reactos] 01/01: [SHELL32] CDefView: Prevent use after free

26 May 2021

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=f0bee6c4bc20d74999281a...
commit f0bee6c4bc20d74999281a5fa26cc94549256b22
Author:     Mark Jansen mark.jansen@reactos.org
AuthorDate: Wed May 26 22:57:43 2021 +0200
Commit:     Mark Jansen mark.jansen@reactos.org
CommitDate: Wed May 26 22:57:43 2021 +0200
[SHELL32] CDefView: Prevent use after free
While updating the item, the LVIF_STATE would be requested,
    for which the old lParam would be accessed.
---
 dll/win32/shell32/CDefView.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/dll/win32/shell32/CDefView.cpp b/dll/win32/shell32/CDefView.cpp
index b3ed556acf4..50471196d31 100644
--- a/dll/win32/shell32/CDefView.cpp
+++ b/dll/win32/shell32/CDefView.cpp
@@ -861,7 +861,8 @@ BOOLEAN CDefView::LV_RenameItem(PCUITEMID_CHILD pidlOld, PCUITEMID_CHILD pidlNew
         lvItem.iSubItem = 0;
         m_ListView.GetItem(&lvItem);
-        SHFree(reinterpret_cast<LPVOID>(lvItem.lParam));
+        LPVOID oldPidl = reinterpret_cast<LPVOID>(lvItem.lParam);   /* Store the old pidl until the new item is replaced */
+
         lvItem.mask = LVIF_PARAM | LVIF_IMAGE | LVIF_TEXT;
         lvItem.iItem = nItem;
         lvItem.iSubItem = 0;
@@ -870,6 +871,9 @@ BOOLEAN CDefView::LV_RenameItem(PCUITEMID_CHILD pidlOld, PCUITEMID_CHILD pidlNew
         lvItem.iImage = SHMapPIDLToSystemImageListIndex(m_pSFParent, pidlNew, 0);
         m_ListView.SetItem(&lvItem);
         m_ListView.Update(nItem);
+
+        SHFree(oldPidl);                /* Now that the new item is in place, we can safely release the old pidl */
+
         return TRUE;                    /* FIXME: better handling */
     }

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [reactos] 01/01: [SHELL32] CDefView: Prevent use after free