From 1e79217fb0c63fc53cf021fb203e282b1bae3b04 Mon Sep 17 00:00:00 2001
From: Brendan McGrath <bmcgrath@codeweavers.com>
Date: Thu, 11 Jan 2024 15:48:52 +1100
Subject: [PATCH] d2d1: Fix double free bug when d2d_geometry_sink_Close fails.

geometry->fill.bezier_vertices was being freed on the failed path in
d2d_geometry_sink_Close and then again when the path geometry was
released (in d2d_geometry_cleanup).

By setting it to NULL after freeing it initially, all other calls
to free it are a no-op.
---
 dlls/d2d1/geometry.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dlls/d2d1/geometry.c b/dlls/d2d1/geometry.c
index 9b0b7844739..3da3ad2e65b 100644
--- a/dlls/d2d1/geometry.c
+++ b/dlls/d2d1/geometry.c
@@ -3247,6 +3247,7 @@ done:
     if (FAILED(hr))
     {
         free(geometry->fill.bezier_vertices);
+        geometry->fill.bezier_vertices = NULL;
         geometry->fill.bezier_vertex_count = 0;
         d2d_path_geometry_free_figures(geometry);
         geometry->u.path.state = D2D_GEOMETRY_STATE_ERROR;
-- 
2.11.4.GIT