Commit 03aa9e13 authored by Rémi Bernon's avatar Rémi Bernon Committed by Alexandre Julliard

services: Use a separate allocation for NotifyParamsArray[0].params.

The pointer might be freed by RPC NdrPointerFree, which will try to use a dedicated free call for the array elements, and fail.
parent bea9ef83
......@@ -102,6 +102,8 @@ static void sc_notify_release(struct sc_notify_handle *notify)
if (r == 0)
{
CloseHandle(notify->event);
if (notify->params_list)
free(notify->params_list->NotifyParamsArray[0].params);
free(notify->params_list);
free(notify);
}
......@@ -841,11 +843,14 @@ static void fill_notify(struct sc_notify_handle *notify, struct service_entry *s
SC_RPC_NOTIFY_PARAMS_LIST *list;
SERVICE_NOTIFY_STATUS_CHANGE_PARAMS_2 *cparams;
list = calloc(1, sizeof(SC_RPC_NOTIFY_PARAMS_LIST) + sizeof(SERVICE_NOTIFY_STATUS_CHANGE_PARAMS_2));
list = calloc(1, sizeof(SC_RPC_NOTIFY_PARAMS_LIST));
if (!list)
return;
cparams = (SERVICE_NOTIFY_STATUS_CHANGE_PARAMS_2 *)(list + 1);
if (!(cparams = calloc(1, sizeof(SERVICE_NOTIFY_STATUS_CHANGE_PARAMS_2))))
{
free(list);
return;
}
cparams->dwNotifyMask = notify->notify_mask;
fill_status_process(&cparams->ServiceStatus, service);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment