d3d9: Fix crash in d3d9_vertexbuffer_Release().

If there is no draw buffer then buffer pointer gets freed in wined3d_buffer_decref() via d3d9_vertexbuffer_wined3d_parent_ops and consequent check for buffer->draw_buffer results in freed memory access. Signed-off-by: Paul Gofman <gofmanp@gmail.com> Signed-off-by: Henri Verbeet <hverbeet@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

d3d9: Fix crash in d3d9_vertexbuffer_Release().
e6c6be1c · Paul Gofman · Alexandre Julliard · cc743f8e · e6c6be1c
Commit e6c6be1c authored Dec 18, 2018 by Paul Gofman Committed by Alexandre Julliard Dec 20, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

buffer.c dlls/d3d9/buffer.c +3 -2

No files found.
--- a/dlls/d3d9/buffer.c
+++ b/dlls/d3d9/buffer.c
@@ -76,12 +76,13 @@ static ULONG WINAPI d3d9_vertexbuffer_Release(IDirect3DVertexBuffer9 *iface)

    if (!refcount)
    {
+        struct wined3d_buffer *draw_buffer = buffer->draw_buffer;
        IDirect3DDevice9Ex *device = buffer->parent_device;

        wined3d_mutex_lock();
        wined3d_buffer_decref(buffer->wined3d_buffer);
-        if (buffer->draw_buffer)
-            wined3d_buffer_decref(buffer->draw_buffer);
+        if (draw_buffer)
+            wined3d_buffer_decref(draw_buffer);
        wined3d_mutex_unlock();

        /* Release the device last, as it may cause the device to be destroyed. */