From c9977df85306f0403c7eeeee7fd041d9b3ac88f8 Mon Sep 17 00:00:00 2001 From: Dylan Smith Date: Sat, 27 Dec 2008 00:06:40 -0500 Subject: [PATCH] richedit: Prevented a dereference of a freed pointer. On WM_DESTROY the editor was getting freed, then it was used to obtain a handle to the editor. This patch moves it just before the editor is freed within ME_DestroyEditor. --- dlls/riched20/editor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c index c93a1e484f5..b5a69f78910 100644 --- a/dlls/riched20/editor.c +++ b/dlls/riched20/editor.c @@ -2685,6 +2685,7 @@ void ME_DestroyEditor(ME_TextEditor *editor) DeleteObject(editor->hbrBackground); if(editor->lpOleCallback) IUnknown_Release(editor->lpOleCallback); + SetWindowLongPtrW(editor->hWnd, 0, 0); OleUninitialize(); FREE_OBJ(editor->pBuffer); @@ -3821,7 +3822,6 @@ LRESULT ME_HandleMessage(ME_TextEditor *editor, UINT msg, WPARAM wParam, } case WM_DESTROY: ME_DestroyEditor(editor); - SetWindowLongPtrW(editor->hWnd, 0, 0); return 0; case WM_SETCURSOR: {