[PATCH 1/1] server: Fix use-after-free in screen_buffer_destroy.

25 Jul 2025

From: Yuxuan Shui yshui@codeweavers.com
When an async object enters the async queue, its fd is released (to avoid
a reference cycle I assume?). In screen_buffer_destroy, the screen_buffer's
fd is released first, this cause it to be freed even when it could still be
referenced by an async object in the queue. This means free_async_queue
could use freed memory.
---
 server/console.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/console.c b/server/console.c
index 8f01311892f..f0cb6689d4b 100644
--- a/server/console.c
+++ b/server/console.c
@@ -861,9 +861,9 @@ static void screen_buffer_destroy( struct object *obj )
             queue_host_ioctl( screen_buffer->input->server, IOCTL_CONDRV_CLOSE_OUTPUT,
                               screen_buffer->id, NULL, NULL );
     }
+    free_async_queue( &screen_buffer->ioctl_q );
     if (screen_buffer->sync) release_object( screen_buffer->sync );
     if (screen_buffer->fd) release_object( screen_buffer->fd );
-    free_async_queue( &screen_buffer->ioctl_q );
 }
static struct object *screen_buffer_open_file( struct object *obj, unsigned int access,
-- 
GitLab

https://gitlab.winehq.org/wine/wine/-/merge_requests/8642

    

2025

2024

2023

2022

[PATCH 1/1] server: Fix use-after-free in screen_buffer_destroy.