From f0bee6c4bc20d74999281a5fa26cc94549256b22 Mon Sep 17 00:00:00 2001
From: Mark Jansen <mark.jansen@reactos.org>
Date: Wed, 26 May 2021 22:57:43 +0200
Subject: [PATCH] [SHELL32] CDefView: Prevent use after free

While updating the item, the LVIF_STATE would be requested,
for which the old lParam would be accessed.
---
 dll/win32/shell32/CDefView.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/dll/win32/shell32/CDefView.cpp b/dll/win32/shell32/CDefView.cpp
index b3ed556acf4..50471196d31 100644
--- a/dll/win32/shell32/CDefView.cpp
+++ b/dll/win32/shell32/CDefView.cpp
@@ -861,7 +861,8 @@ BOOLEAN CDefView::LV_RenameItem(PCUITEMID_CHILD pidlOld, PCUITEMID_CHILD pidlNew
         lvItem.iSubItem = 0;
         m_ListView.GetItem(&lvItem);
 
-        SHFree(reinterpret_cast<LPVOID>(lvItem.lParam));
+        LPVOID oldPidl = reinterpret_cast<LPVOID>(lvItem.lParam);   /* Store the old pidl until the new item is replaced */
+
         lvItem.mask = LVIF_PARAM | LVIF_IMAGE | LVIF_TEXT;
         lvItem.iItem = nItem;
         lvItem.iSubItem = 0;
@@ -870,6 +871,9 @@ BOOLEAN CDefView::LV_RenameItem(PCUITEMID_CHILD pidlOld, PCUITEMID_CHILD pidlNew
         lvItem.iImage = SHMapPIDLToSystemImageListIndex(m_pSFParent, pidlNew, 0);
         m_ListView.SetItem(&lvItem);
         m_ListView.Update(nItem);
+
+        SHFree(oldPidl);                /* Now that the new item is in place, we can safely release the old pidl */
+
         return TRUE;                    /* FIXME: better handling */
     }