From 1d7d3f58d6666e2a5793a79ea8a28476f961e9c2 Mon Sep 17 00:00:00 2001
From: Nikolay Sivov <nsivov@codeweavers.com>
Date: Tue, 10 May 2022 19:13:24 +0300
Subject: [PATCH] mfplat/sample: Fix use-after-free of a critical section.

Signed-off-by: Nikolay Sivov <nsivov@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/mfplat/sample.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/dlls/mfplat/sample.c b/dlls/mfplat/sample.c
index ed39b5f7297..687ada1a477 100644
--- a/dlls/mfplat/sample.c
+++ b/dlls/mfplat/sample.c
@@ -183,22 +183,25 @@ static ULONG WINAPI sample_tracked_Release(IMFSample *iface)
 {
     struct sample *sample = impl_from_IMFSample(iface);
     ULONG refcount = InterlockedDecrement(&sample->attributes.ref);
+    IRtwqAsyncResult *tracked_result = NULL;
     HRESULT hr;
 
     EnterCriticalSection(&sample->attributes.cs);
     if (sample->tracked_result && sample->tracked_refcount == refcount)
     {
-        IRtwqAsyncResult *tracked_result = sample->tracked_result;
+        tracked_result = sample->tracked_result;
         sample->tracked_result = NULL;
         sample->tracked_refcount = 0;
 
         /* Call could fail if queue system is not initialized, it's not critical. */
         if (FAILED(hr = RtwqInvokeCallback(tracked_result)))
             WARN("Failed to invoke tracking callback, hr %#lx.\n", hr);
-        IRtwqAsyncResult_Release(tracked_result);
     }
     LeaveCriticalSection(&sample->attributes.cs);
 
+    if (tracked_result)
+        IRtwqAsyncResult_Release(tracked_result);
+
     TRACE("%p, refcount %lu.\n", iface, refcount);
 
     if (!refcount)