From 224bb37961ec75c5cb308a7aec29cdcbfc27cad9 Mon Sep 17 00:00:00 2001
From: Hartmut Birr <osexpert@googlemail.com>
Date: Wed, 3 Apr 2002 00:04:01 +0000
Subject: [PATCH] Fixed a bug in RtlDestroyHeap, that will cause a page fault,
 if more than one subheap exist.

svn path=/trunk/; revision=2820
---
 reactos/lib/ntdll/rtl/heap.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/reactos/lib/ntdll/rtl/heap.c b/reactos/lib/ntdll/rtl/heap.c
index 0504c3ca3bc..0dc64b2b756 100644
--- a/reactos/lib/ntdll/rtl/heap.c
+++ b/reactos/lib/ntdll/rtl/heap.c
@@ -1046,7 +1046,7 @@ RtlDestroyHeap(HANDLE heap) /* [in] Handle of heap */
 {
     HEAP *heapPtr = HEAP_GetPtr( heap );
     SUBHEAP *subheap;
-    ULONG i;
+    ULONG i, flags;
    
     TRACE("%08x\n", heap );
     if (!heapPtr) return FALSE;
@@ -1064,11 +1064,15 @@ RtlDestroyHeap(HANDLE heap) /* [in] Handle of heap */
    
     RtlDeleteCriticalSection( &heapPtr->critSection );
     subheap = &heapPtr->subheap;
+    // We must save the flags. The first subheap is located after 
+    // the heap structure. If we release the first subheap, 
+    // we release also the heap structure.
+    flags = heapPtr->flags;
     while (subheap)
     {
         SUBHEAP *next = subheap->next;
 
-	if (!(heapPtr->flags & HEAP_NO_VALLOC))
+	if (!(flags & HEAP_NO_VALLOC))
 	  {
 	    ULONG dummySize = 0;
 	    ZwFreeVirtualMemory(NtCurrentProcess(),