• Dmitry Timoshkov's avatar
    uxtheme: Protect CloseThemeData() from invalid input. · 2ae7ecb9
    Dmitry Timoshkov authored
    With test case by Michael Müller <michael@fds-team.de>.
    
    Zhiyi Zhang's comments:
    
    Some applications close the same HTHEME handle more than once, causing use-after-free. HTHEME is a
    handle rather than a pointer. Some testing shows that it's a handle starting from 0x10000 or 0x20000.
    Each new handle increments from the first handle and closing handles decrements it. I prefer not to
    implement this handle to data map for now because it will likely hurt performance.
    
    Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=29974
    2ae7ecb9
msstyles.c 44.2 KB