[reactos] 01/01: [BROWSEUI] Don't access callers invalid PIDL during browse (#7242) - Ros-diffs

13 Aug 2024

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=1061e7f7db44b73711ae7…

commit 1061e7f7db44b73711ae7fe05a53cc77e672b861
Author:     Whindmar Saksit &lt;whindsaks(a)proton.me&gt;
AuthorDate: Tue Aug 13 20:57:58 2024 +0200
Commit:     GitHub &lt;noreply(a)github.com&gt;
CommitDate: Tue Aug 13 20:57:58 2024 +0200

    [BROWSEUI] Don't access callers invalid PIDL during browse (#7242)
    
    The interaction between the shell browser and its address bar causes the browser to
read from a freed PIDL, sometimes causing a crash.
    
    CORE-19697
---
 dll/win32/browseui/shellbrowser.cpp | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/dll/win32/browseui/shellbrowser.cpp b/dll/win32/browseui/shellbrowser.cpp
index 00fbb06e07b..219767387cb 100644
--- a/dll/win32/browseui/shellbrowser.cpp
+++ b/dll/win32/browseui/shellbrowser.cpp
@@ -1034,6 +1034,10 @@ HRESULT CShellBrowser::BrowseToPath(IShellFolder *newShellFolder,
     if (FAILED_UNEXPECTEDLY(hResult))
         return hResult;
 
+    if (FAILED_UNEXPECTEDLY(hResult = SHILClone(absolutePIDL, &absolutePIDL)))
+        return hResult;
+    CComHeapPtr<ITEMIDLIST>
pidlAbsoluteClone(const_cast<LPITEMIDLIST>(absolutePIDL));
+
     // update history
     if (flags & BTP_UPDATE_CUR_HISTORY)
     {
@@ -1078,7 +1082,14 @@ HRESULT CShellBrowser::BrowseToPath(IShellFolder *newShellFolder,
 
     // update current pidl
     ILFree(fCurrentDirectoryPIDL);
-    fCurrentDirectoryPIDL = ILClone(absolutePIDL);
+    fCurrentDirectoryPIDL = pidlAbsoluteClone.Detach();
+    /* CORE-19697: CAddressEditBox::OnWinEvent(CBN_SELCHANGE) causes CAddressEditBox to
+     * call BrowseObject(pidlLastParsed). As part of our browsing we call
FireNavigateComplete
+     * and this in turn causes CAddressEditBox::Invoke to ILFree(pidlLastParsed)!
+     * We then call SHBindToParent on absolutePIDL (which is really (the now invalid)
pidlLastParsed) and we
+     * end up accessing invalid memory! We therefore set absolutePIDL to be our cloned
PIDL here.
+     */
+    absolutePIDL = fCurrentDirectoryPIDL;
 
     // create view window
     hResult = newShellView->CreateViewWindow(saveCurrentShellView, folderSettings,

    