Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-06-04 17:00:31 +00:00
Code Issues Projects Releases Packages Wiki Activity

[BROWSEUI] Don't access callers invalid PIDL during browse (#7242)

Browse source 
The interaction between the shell browser and its address bar causes the browser to read from a freed PIDL, sometimes causing a crash.

CORE-19697
This commit is contained in:
Whindmar Saksit 2024-08-13 20:57:58 +02:00 committed by GitHub
parent 07a76b3dec
commit 1061e7f7db
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 12 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
dll/win32/browseui/shellbrowser.cpp
View file

@ -1034,6 +1034,10 @@ HRESULT CShellBrowser::BrowseToPath(IShellFolder *newShellFolder,
if (FAILED_UNEXPECTEDLY(hResult))
return hResult;
if (FAILED_UNEXPECTEDLY(hResult = SHILClone(absolutePIDL, &absolutePIDL)))
return hResult;
CComHeapPtr<ITEMIDLIST> pidlAbsoluteClone(const_cast<LPITEMIDLIST>(absolutePIDL));
// update history
if (flags & BTP_UPDATE_CUR_HISTORY)
{
@ -1078,7 +1082,14 @@ HRESULT CShellBrowser::BrowseToPath(IShellFolder *newShellFolder,
// update current pidl
ILFree(fCurrentDirectoryPIDL);
fCurrentDirectoryPIDL = ILClone(absolutePIDL);
fCurrentDirectoryPIDL = pidlAbsoluteClone.Detach();
/* CORE-19697: CAddressEditBox::OnWinEvent(CBN_SELCHANGE) causes CAddressEditBox to
* call BrowseObject(pidlLastParsed). As part of our browsing we call FireNavigateComplete
* and this in turn causes CAddressEditBox::Invoke to ILFree(pidlLastParsed)!
* We then call SHBindToParent on absolutePIDL (which is really (the now invalid) pidlLastParsed) and we
* end up accessing invalid memory! We therefore set absolutePIDL to be our cloned PIDL here.
*/
absolutePIDL = fCurrentDirectoryPIDL;
// create view window
hResult = newShellView->CreateViewWindow(saveCurrentShellView, folderSettings,