From 8a3e0d686ea4cbff33dc45bb63e71f132c22797a Mon Sep 17 00:00:00 2001
From: Akihiro Sagawa <sagawa.aki@gmail.com>
Date: Sun, 29 Aug 2021 21:35:14 +0900
Subject: [PATCH] ntdll: Fix use-after-free.

Fixes a regression introduced by 76f949577aac88bbde4e9e7b904587f5bc8c808d.
nt_name or redir is used in open_unix_file() because attr.ObjectName
points to either of them.

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=51702
Signed-off-by: Akihiro Sagawa <sagawa.aki@gmail.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/ntdll/unix/process.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/dlls/ntdll/unix/process.c b/dlls/ntdll/unix/process.c
index d7f3edf4330..f5b8b5315cd 100644
--- a/dlls/ntdll/unix/process.c
+++ b/dlls/ntdll/unix/process.c
@@ -368,16 +368,18 @@ static int get_unix_curdir( const RTL_USER_PROCESS_PARAMETERS *params )
     InitializeObjectAttributes( &attr, &nt_name, OBJ_CASE_INSENSITIVE, 0, NULL );
     get_redirect( &attr, &redir );
     status = nt_to_unix_file_name( &attr, &unix_name, FILE_OPEN );
-    free( nt_name.Buffer );
-    free( redir.Buffer );
-    if (status) return -1;
+    if (status) goto done;
     status = open_unix_file( &handle, unix_name, FILE_TRAVERSE | SYNCHRONIZE, &attr, 0,
                              FILE_SHARE_READ | FILE_SHARE_DELETE,
                              FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 );
     free( unix_name );
-    if (status) return -1;
+    if (status) goto done;
     wine_server_handle_to_fd( handle, FILE_TRAVERSE, &fd, NULL );
     NtClose( handle );
+
+done:
+    free( nt_name.Buffer );
+    free( redir.Buffer );
     return fd;
 }
 
-- 
2.11.4.GIT