[ros-diffs] [reactos] 01/01: [BROWSEUI] Fix CAutoComplete use after free

Thu, 27 Oct 2022 14:48:35 -0700 

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=a06f10d0c0f0c95f2416fba2b73ba578ceb85af7

commit a06f10d0c0f0c95f2416fba2b73ba578ceb85af7
Author:     Mark Jansen <[email protected]>
AuthorDate: Thu Oct 20 19:51:47 2022 +0200
Commit:     Mark Jansen <[email protected]>
CommitDate: Thu Oct 27 23:45:18 2022 +0200

    [BROWSEUI] Fix CAutoComplete use after free
    
    CORE-18395
---
 dll/win32/browseui/CAutoComplete.cpp | 16 ++++++++++++----
 dll/win32/browseui/CAutoComplete.h   |  6 ++++--
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/dll/win32/browseui/CAutoComplete.cpp 
b/dll/win32/browseui/CAutoComplete.cpp
index f9929870085..6bb970c87f8 100644
--- a/dll/win32/browseui/CAutoComplete.cpp
+++ b/dll/win32/browseui/CAutoComplete.cpp
@@ -1,7 +1,7 @@
 /*
  *    AutoComplete interfaces implementation.
  *
- *    Copyright 2004    Maxime Belleng� <[email protected]>
+ *    Copyright 2004    Maxime Bellengé <[email protected]>
  *    Copyright 2009  Andrew Hill
  *    Copyright 2020-2021 Katayama Hirofumi MZ <[email protected]>
  *
@@ -1549,7 +1549,7 @@ LRESULT CAutoComplete::OnCreate(UINT uMsg, WPARAM wParam, 
LPARAM lParam, BOOL &b
     m_hFont = reinterpret_cast<HFONT>(::GetStockObject(DEFAULT_GUI_FONT));
     m_hwndList.SetFont(m_hFont);
 
-    // add reference to CAutoComplete::m_hWnd
+    // add reference so we won't be deleted during message processing
     AddRef();
     return 0; // success
 }
@@ -1575,11 +1575,19 @@ LRESULT CAutoComplete::OnNCDestroy(UINT uMsg, WPARAM 
wParam, LPARAM lParam, BOOL
 
     // clean up
     m_hwndCombo = NULL;
-    // remove reference to CAutoComplete::m_hWnd
-    Release();
+
+    // Tell ATL to clean up
+    bHandled = 0;
+
     return 0;
 }
 
+VOID CAutoComplete::OnFinalMessage(HWND)
+{
+    // The message loop is finished, now we can safely destruct!
+    Release();
+}
+
 // WM_EXITSIZEMOVE
 // This message is sent once to a window after it has exited the moving or 
sizing mode.
 LRESULT CAutoComplete::OnExitSizeMove(UINT uMsg, WPARAM wParam, LPARAM lParam, 
BOOL &bHandled)
diff --git a/dll/win32/browseui/CAutoComplete.h 
b/dll/win32/browseui/CAutoComplete.h
index 97d633c5db2..b8370f899a0 100644
--- a/dll/win32/browseui/CAutoComplete.h
+++ b/dll/win32/browseui/CAutoComplete.h
@@ -1,7 +1,7 @@
 /*
  *  AutoComplete interfaces implementation.
  *
- *  Copyright 2004  Maxime Belleng� <[email protected]>
+ *  Copyright 2004  Maxime Bellengé <[email protected]>
  *  Copyright 2009  Andrew Hill
  *  Copyright 2021  Katayama Hirofumi MZ <[email protected]>
  *
@@ -156,9 +156,9 @@ public:
 
     // public methods
     CAutoComplete();
-    HWND CreateDropDown();
     virtual ~CAutoComplete();
 
+    HWND CreateDropDown();
     BOOL CanAutoSuggest() const;
     BOOL CanAutoAppend() const;
     BOOL UseTab() const;
@@ -284,6 +284,8 @@ protected:
     LRESULT OnAutoCompStart(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL 
&bHandled);
     LRESULT OnAutoCompFinish(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL 
&bHandled);
 
+    virtual VOID OnFinalMessage(HWND) override;
+
     DECLARE_REGISTRY_RESOURCEID(IDR_AUTOCOMPLETE)
     DECLARE_NOT_AGGREGATABLE(CAutoComplete)
     DECLARE_PROTECT_FINAL_CONSTRUCT()

Reply via email to