mf: Avoid a double free of presentation clock timers.

In clock_change_state() when a clock is running, a timer is removed from clock->timers. The same timer is then used to create an async result, which will eventually calls present_clock_timer_callback_Invoke() and release the same timer. Check if the timer is still in clock->timers before releasing it.

mf: Avoid a double free of presentation clock timers.
e4cdcb1e · Zhiyi Zhang · Alexandre Julliard · 8f282944 · e4cdcb1e
Commit e4cdcb1e authored Sep 27, 2023 by Zhiyi Zhang Committed by Alexandre Julliard Oct 09, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 4 deletions

clock.c dlls/mf/clock.c +10 -4

No files found.
--- a/dlls/mf/clock.c
+++ b/dlls/mf/clock.c
@@ -1108,13 +1108,19 @@ static HRESULT WINAPI present_clock_timer_callback_Invoke(IMFAsyncCallback *ifac
    if (FAILED(hr = IMFAsyncResult_GetObject(result, &object)))
        return hr;

-    timer = impl_clock_timer_from_IUnknown(object);
-
    EnterCriticalSection(&clock->cs);
-    list_remove(&timer->entry);
-    IUnknown_Release(&timer->IUnknown_iface);
+    LIST_FOR_EACH_ENTRY(timer, &clock->timers, struct clock_timer, entry)
+    {
+        if (&timer->IUnknown_iface == object)
+        {
+            list_remove(&timer->entry);
+            IUnknown_Release(&timer->IUnknown_iface);
+            break;
+        }
+    }
    LeaveCriticalSection(&clock->cs);

+    timer = impl_clock_timer_from_IUnknown(object);
    IMFAsyncCallback_Invoke(timer->callback, timer->result);

    IUnknown_Release(object);