Author: pschweitzer Date: Sat Jul 15 07:45:28 2017 New Revision: 75348

URL: http://svn.reactos.org/svn/reactos?rev=75348&view=rev Log: [SHELL32] Avoid double-free and use-after-free in case the FSD fails to register the change directory notification

CORE-13549

Modified: trunk/reactos/dll/win32/shell32/wine/changenotify.c

Modified: trunk/reactos/dll/win32/shell32/wine/changenotify.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/shell32/wine/chan... ============================================================================== --- trunk/reactos/dll/win32/shell32/wine/changenotify.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/shell32/wine/changenotify.c [iso-8859-1] Sat Jul 15 07:45:28 2017 @@ -723,6 +723,20 @@ } #endif

+#ifdef __REACTOS__ + /* This is to avoid double-free and potential use after free + * In case it failed, _BeginRead() already deferenced item + * But if failure comes the FSD, the APC routine (us) will + * be called as well, which will cause a double-free on quit. + * Avoid this by deferencing only once in case of failure and thus, + * incrementing reference count here + */ + if (dwErrorCode != ERROR_SUCCESS) + { + InterlockedIncrement(&item->pParent->wQueuedCount); + } +#endif + /* This likely means overflow, so force whole directory refresh. */ if (!dwNumberOfBytesTransfered) {