From 45263e3196291f55f44f235a0d3172301050b111 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B3zef=20Kucia?= <jkucia@codeweavers.com>
Date: Thu, 27 Apr 2017 12:02:52 +0200
Subject: [PATCH] d3d11: Avoid potential double free in
 d3d11_device_CreateRasterizerState().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The parent is owned by the wined3d_rasterizer_state object and it is
destroyed in the wined3d_object_destroyed() callback.

Signed-off-by: Józef Kucia <jkucia@codeweavers.com>
Signed-off-by: Henri Verbeet <hverbeet@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/d3d11/state.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/dlls/d3d11/state.c b/dlls/d3d11/state.c
index f10e713e761..2b5a2c06ee8 100644
--- a/dlls/d3d11/state.c
+++ b/dlls/d3d11/state.c
@@ -882,24 +882,27 @@ HRESULT d3d_rasterizer_state_init(struct d3d_rasterizer_state *state, struct d3d
     wined3d_private_store_init(&state->private_store);
     state->desc = *desc;
 
+    if (wine_rb_put(&device->rasterizer_states, desc, &state->entry) == -1)
+    {
+        ERR("Failed to insert rasterizer state entry.\n");
+        wined3d_private_store_cleanup(&state->private_store);
+        wined3d_mutex_unlock();
+        return E_FAIL;
+    }
+
     wined3d_desc.front_ccw = desc->FrontCounterClockwise;
+
+    /* We cannot fail after creating a wined3d_rasterizer_state object. It
+     * would lead to double free. */
     if (FAILED(hr = wined3d_rasterizer_state_create(device->wined3d_device, &wined3d_desc,
             state, &d3d_rasterizer_state_wined3d_parent_ops, &state->wined3d_state)))
     {
         WARN("Failed to create wined3d rasterizer state, hr %#x.\n", hr);
         wined3d_private_store_cleanup(&state->private_store);
+        wine_rb_remove(&device->rasterizer_states, &state->entry);
         wined3d_mutex_unlock();
         return hr;
     }
-
-    if (wine_rb_put(&device->rasterizer_states, desc, &state->entry) == -1)
-    {
-        ERR("Failed to insert rasterizer state entry.\n");
-        wined3d_private_store_cleanup(&state->private_store);
-        wined3d_rasterizer_state_decref(state->wined3d_state);
-        wined3d_mutex_unlock();
-        return E_FAIL;
-    }
     wined3d_mutex_unlock();
 
     ID3D11Device_AddRef(state->device = &device->ID3D11Device_iface);