From e6c6be1cf75db1cf58f39d170ab6a7f3d7bc5663 Mon Sep 17 00:00:00 2001 From: Paul Gofman Date: Tue, 18 Dec 2018 19:57:22 +0300 Subject: [PATCH] d3d9: Fix crash in d3d9_vertexbuffer_Release(). If there is no draw buffer then buffer pointer gets freed in wined3d_buffer_decref() via d3d9_vertexbuffer_wined3d_parent_ops and consequent check for buffer->draw_buffer results in freed memory access. Signed-off-by: Paul Gofman Signed-off-by: Henri Verbeet Signed-off-by: Alexandre Julliard --- dlls/d3d9/buffer.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dlls/d3d9/buffer.c b/dlls/d3d9/buffer.c index 1533a8496d2..7e178f278fd 100644 --- a/dlls/d3d9/buffer.c +++ b/dlls/d3d9/buffer.c @@ -76,12 +76,13 @@ static ULONG WINAPI d3d9_vertexbuffer_Release(IDirect3DVertexBuffer9 *iface) if (!refcount) { + struct wined3d_buffer *draw_buffer = buffer->draw_buffer; IDirect3DDevice9Ex *device = buffer->parent_device; wined3d_mutex_lock(); wined3d_buffer_decref(buffer->wined3d_buffer); - if (buffer->draw_buffer) - wined3d_buffer_decref(buffer->draw_buffer); + if (draw_buffer) + wined3d_buffer_decref(draw_buffer); wined3d_mutex_unlock(); /* Release the device last, as it may cause the device to be destroyed. */