Author: rmessiant Date: Sun Mar 6 00:37:10 2011 New Revision: 50978 URL: http://svn.reactos.org/svn/reactos?rev=50978&view=rev Log: [HEAP] - RtlpInsertUnCommittedPages: Don't rely on linked list data in an UCR Descriptor after destroying it. No functionality change because the linked list data was still "as expected", but not something we want to rely on. - RtlpCreateUnCommittedRange: Fix a typo that caused the head of UCR Segment list of the Heap to be treated as an UCR Segment header. Side effects of the typo: When this list wasn't empty, the (fake) UCR Segment it described was grown to contain more UCR descriptors. Due to the data involved, this always happened to be the initial Heap Segment, which contains the Heap Header. Writing the new UCR descriptors caused the Heap Header and trailing Heap Entries to be partially corrupted. Modified: trunk/reactos/lib/rtl/heap.c Modified: trunk/reactos/lib/rtl/heap.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/rtl/heap.c?rev=50978&a… ============================================================================== --- trunk/reactos/lib/rtl/heap.c [iso-8859-1] (original) +++ trunk/reactos/lib/rtl/heap.c [iso-8859-1] Sun Mar 6 00:37:10 2011 @@ -414,7 +414,7 @@ if (IsListEmpty(&Heap->UCRList)) { /* Get a pointer to the first UCR segment */ - UcrSegment = CONTAINING_RECORD(&Heap->UCRSegments.Flink, HEAP_UCR_SEGMENT, ListEntry); + UcrSegment = CONTAINING_RECORD(Heap->UCRSegments.Flink, HEAP_UCR_SEGMENT, ListEntry); /* Check the list of UCR segments */ if (IsListEmpty(&Heap->UCRSegments) || @@ -539,8 +539,11 @@ Address = (ULONG_PTR)UcrDescriptor->Address; Size += UcrDescriptor->Size; - /* Remove it from the list and destroy it */ - RemoveEntryList(Current); + /* Advance to the next descriptor */ + Current = Current->Flink; + + /* Remove the current descriptor from the list and destroy it */ + RemoveEntryList(&UcrDescriptor->SegmentEntry); RtlpDestroyUnCommittedRange(Segment, UcrDescriptor); Segment->NumberOfUnCommittedRanges--;