ntdll: Fix use-after-free.

Fixes a regression introduced by 76f94957. nt_name or redir is used in open_unix_file() because attr.ObjectName points to either of them. Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=51702Signed-off-by: Akihiro Sagawa <sagawa.aki@gmail.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

ntdll: Fix use-after-free.
8a3e0d68 · Akihiro Sagawa · Alexandre Julliard · 8756ae39 · 8a3e0d68
Commit 8a3e0d68 authored Aug 29, 2021 by Akihiro Sagawa Committed by Alexandre Julliard Aug 30, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 4 deletions

process.c dlls/ntdll/unix/process.c +6 -4

No files found.
--- a/dlls/ntdll/unix/process.c
+++ b/dlls/ntdll/unix/process.c
@@ -368,16 +368,18 @@ static int get_unix_curdir( const RTL_USER_PROCESS_PARAMETERS *params )
    InitializeObjectAttributes( &attr, &nt_name, OBJ_CASE_INSENSITIVE, 0, NULL );
    get_redirect( &attr, &redir );
    status = nt_to_unix_file_name( &attr, &unix_name, FILE_OPEN );
-    free( nt_name.Buffer );
-    free( redir.Buffer );
-    if (status) return -1;
+    if (status) goto done;
    status = open_unix_file( &handle, unix_name, FILE_TRAVERSE | SYNCHRONIZE, &attr, 0,
                             FILE_SHARE_READ | FILE_SHARE_DELETE,
                             FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 );
    free( unix_name );
-    if (status) return -1;
+    if (status) goto done;
    wine_server_handle_to_fd( handle, FILE_TRAVERSE, &fd, NULL );
    NtClose( handle );
+
+done:
+    free( nt_name.Buffer );
+    free( redir.Buffer );
    return fd;
 }