Skip to content

WPF XpsSerialization crashes intermittently caused by double free #1554

New issue
New issue
Closed
Closed
WPF XpsSerialization crashes intermittently caused by double free#1554
Assignees
rladuca
Labels
.NET FrameworkBugProduct bug (most likely)netfx-servicing-approvedNetfx Approved for Servicingtell-modeIssues and PR's that require notice to .NET Core Shiproom
Milestone
3.0
@rladuca

Description

@rladuca
rladuca
opened on Aug 7, 2019

This is a port of a .NET Framework servicing bug: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/961349

During execution of CreateTTFDeltaEx, the call-chain may re-allocate and move *ppuchDestBuffer. If this happens and an error condition occurs, we will return the buffer that realloc de-allocated. Callers may then double-free *ppuchDestBuffer.

To fix this, set *ppuchDestBuffer to NULL after it is stored in OutputBufferInfo.puchBuffer. After this change, the non-error return will set *ppuchDestBuffer to OutputBufferInfo.puchBuffer as always, but the error case will de-allocate OutputBufferInfo.puchBuffer (as was intended) and return NULL in *ppuchDestBuffer. Callers then cannot double-free the buffer.

Metadata

Metadata

Assignees

Labels

.NET FrameworkBugProduct bug (most likely)netfx-servicing-approvedNetfx Approved for Servicingtell-modeIssues and PR's that require notice to .NET Core Shiproom

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions