WPF XpsSerialization crashes intermittently caused by double free #1554
Assignees
Labels
Bug
Product bug (most likely)
.NET Framework
netfx-servicing-approved
Netfx Approved for Servicing
tell-mode
Issues and PR's that require notice to .NET Core Shiproom
Milestone
Comments
rladuca
added
area-netfx
netfx-servicing-approved
|
Related to #1511 |
ghost
locked as resolved and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This is a port of a .NET Framework servicing bug: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/961349
During execution of CreateTTFDeltaEx, the call-chain may re-allocate and move *ppuchDestBuffer. If this happens and an error condition occurs, we will return the buffer that realloc de-allocated. Callers may then double-free *ppuchDestBuffer.
To fix this, set *ppuchDestBuffer to NULL after it is stored in OutputBufferInfo.puchBuffer. After this change, the non-error return will set *ppuchDestBuffer to OutputBufferInfo.puchBuffer as always, but the error case will de-allocate OutputBufferInfo.puchBuffer (as was intended) and return NULL in *ppuchDestBuffer. Callers then cannot double-free the buffer.
The text was updated successfully, but these errors were encountered: