Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-04-04 12:39:35 +00:00
Code Issues Projects Releases Packages Wiki Activity

[SHELL32] CDefView: Prevent use after free

Browse source 
While updating the item, the LVIF_STATE would be requested,
for which the old lParam would be accessed.
This commit is contained in:
Mark Jansen 2021-05-26 22:57:43 +02:00
parent 949e3a9cec
commit f0bee6c4bc
No known key found for this signature in database
GPG key ID: B39240EE84BEAE8B
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
dll/win32/shell32/CDefView.cpp
View file

@ -861,7 +861,8 @@ BOOLEAN CDefView::LV_RenameItem(PCUITEMID_CHILD pidlOld, PCUITEMID_CHILD pidlNew
lvItem.iSubItem = 0; lvItem.iSubItem = 0;
m_ListView.GetItem(&lvItem); m_ListView.GetItem(&lvItem);
SHFree(reinterpret_cast<LPVOID>(lvItem.lParam)); LPVOID oldPidl = reinterpret_cast<LPVOID>(lvItem.lParam); /* Store the old pidl until the new item is replaced */
lvItem.mask = LVIF_PARAM | LVIF_IMAGE | LVIF_TEXT; lvItem.mask = LVIF_PARAM | LVIF_IMAGE | LVIF_TEXT;
lvItem.iItem = nItem; lvItem.iItem = nItem;
lvItem.iSubItem = 0; lvItem.iSubItem = 0;
@ -870,6 +871,9 @@ BOOLEAN CDefView::LV_RenameItem(PCUITEMID_CHILD pidlOld, PCUITEMID_CHILD pidlNew
lvItem.iImage = SHMapPIDLToSystemImageListIndex(m_pSFParent, pidlNew, 0); lvItem.iImage = SHMapPIDLToSystemImageListIndex(m_pSFParent, pidlNew, 0);
m_ListView.SetItem(&lvItem); m_ListView.SetItem(&lvItem);
m_ListView.Update(nItem); m_ListView.Update(nItem);
SHFree(oldPidl); /* Now that the new item is in place, we can safely release the old pidl */
return TRUE; /* FIXME: better handling */ return TRUE; /* FIXME: better handling */
} }