27 Oct
2022
27 Oct
'22
9:48 p.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=a06f10d0c0f0c95f2416f…
commit a06f10d0c0f0c95f2416fba2b73ba578ceb85af7
Author: Mark Jansen <mark.jansen(a)reactos.org>
AuthorDate: Thu Oct 20 19:51:47 2022 +0200
Commit: Mark Jansen <mark.jansen(a)reactos.org>
CommitDate: Thu Oct 27 23:45:18 2022 +0200
[BROWSEUI] Fix CAutoComplete use after free
CORE-18395
---
dll/win32/browseui/CAutoComplete.cpp | 16 ++++++++++++----
dll/win32/browseui/CAutoComplete.h | 6 ++++--
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/dll/win32/browseui/CAutoComplete.cpp b/dll/win32/browseui/CAutoComplete.cpp
index f9929870085..6bb970c87f8 100644
--- a/dll/win32/browseui/CAutoComplete.cpp
+++ b/dll/win32/browseui/CAutoComplete.cpp
@@ -1,7 +1,7 @@
/*
* AutoComplete interfaces implementation.
*
- * Copyright 2004 Maxime Belleng� <maxime.bellenge(a)laposte.net>
+ * Copyright 2004 Maxime Bellengé <maxime.bellenge(a)laposte.net>
* Copyright 2009 Andrew Hill
* Copyright 2020-2021 Katayama Hirofumi MZ <katayama.hirofumi.mz(a)gmail.com>
*
@@ -1549,7 +1549,7 @@ LRESULT CAutoComplete::OnCreate(UINT uMsg, WPARAM wParam, LPARAM
lParam, BOOL &b
m_hFont = reinterpret_cast<HFONT>(::GetStockObject(DEFAULT_GUI_FONT));
m_hwndList.SetFont(m_hFont);
- // add reference to CAutoComplete::m_hWnd
+ // add reference so we won't be deleted during message processing
AddRef();
return 0; // success
}
@@ -1575,11 +1575,19 @@ LRESULT CAutoComplete::OnNCDestroy(UINT uMsg, WPARAM wParam,
LPARAM lParam, BOOL
// clean up
m_hwndCombo = NULL;
- // remove reference to CAutoComplete::m_hWnd
- Release();
+
+ // Tell ATL to clean up
+ bHandled = 0;
+
return 0;
}
+VOID CAutoComplete::OnFinalMessage(HWND)
+{
+ // The message loop is finished, now we can safely destruct!
+ Release();
+}
+
// WM_EXITSIZEMOVE
// This message is sent once to a window after it has exited the moving or sizing mode.
LRESULT CAutoComplete::OnExitSizeMove(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL
&bHandled)
diff --git a/dll/win32/browseui/CAutoComplete.h b/dll/win32/browseui/CAutoComplete.h
index 97d633c5db2..b8370f899a0 100644
--- a/dll/win32/browseui/CAutoComplete.h
+++ b/dll/win32/browseui/CAutoComplete.h
@@ -1,7 +1,7 @@
/*
* AutoComplete interfaces implementation.
*
- * Copyright 2004 Maxime Belleng� <maxime.bellenge(a)laposte.net>
+ * Copyright 2004 Maxime Bellengé <maxime.bellenge(a)laposte.net>
* Copyright 2009 Andrew Hill
* Copyright 2021 Katayama Hirofumi MZ <katayama.hirofumi.mz(a)gmail.com>
*
@@ -156,9 +156,9 @@ public:
// public methods
CAutoComplete();
- HWND CreateDropDown();
virtual ~CAutoComplete();
+ HWND CreateDropDown();
BOOL CanAutoSuggest() const;
BOOL CanAutoAppend() const;
BOOL UseTab() const;
@@ -284,6 +284,8 @@ protected:
LRESULT OnAutoCompStart(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL
&bHandled);
LRESULT OnAutoCompFinish(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL
&bHandled);
+ virtual VOID OnFinalMessage(HWND) override;
+
DECLARE_REGISTRY_RESOURCEID(IDR_AUTOCOMPLETE)
DECLARE_NOT_AGGREGATABLE(CAutoComplete)
DECLARE_PROTECT_FINAL_CONSTRUCT()
750
days inactive
750
days old
0 comments
1 participants
participants (1)
-
Mark Jansen