Author: tfaber Date: Mon Apr 20 20:01:48 2015 New Revision: 67328 URL: http://svn.reactos.org/svn/reactos?rev=67328&view=rev Log: [COMCTL32] - Fix use after free in DPA_Merge Modified: trunk/reactos/dll/win32/comctl32/dpa.c Modified: trunk/reactos/dll/win32/comctl32/dpa.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/comctl32/dpa.c?r… ============================================================================== --- trunk/reactos/dll/win32/comctl32/dpa.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/comctl32/dpa.c [iso-8859-1] Mon Apr 20 20:01:48 2015 @@ -291,16 +291,14 @@ hdpa1->nItemCount, hdpa2->nItemCount); - /* working but untrusted implementation */ - - pWork1 = &(hdpa1->ptrs[hdpa1->nItemCount - 1]); - pWork2 = &(hdpa2->ptrs[hdpa2->nItemCount - 1]); - nIndex = hdpa1->nItemCount - 1; nCount = hdpa2->nItemCount - 1; do { + pWork1 = &hdpa1->ptrs[nIndex]; + pWork2 = &hdpa2->ptrs[nCount]; + if (nIndex < 0) { if ((nCount >= 0) && (dwFlags & DPAM_UNION)) { /* Now insert the remaining new items into DPA 1 */ @@ -331,10 +329,8 @@ return FALSE; nCount--; - pWork2--; *pWork1 = ptr; nIndex--; - pWork1--; } else if (nResult > 0) { @@ -349,7 +345,6 @@ (pfnMerge)(DPAMM_DELETE, ptr, NULL, lParam); } nIndex--; - pWork1--; } else { @@ -365,7 +360,6 @@ DPA_InsertPtr (hdpa1, nIndex+1, ptr); } nCount--; - pWork2--; } }