From 5789b94f197894c314604b6dc31ce153d1526b73 Mon Sep 17 00:00:00 2001
From: Sebastian Lackner <sebastian@fds-team.de>
Date: Sun, 16 Oct 2016 08:48:55 +0200
Subject: [PATCH] ntoskrnl.exe: Defer deallocation of in_buff in
 dispatch_ioctl.

Signed-off-by: Sebastian Lackner <sebastian@fds-team.de>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/ntoskrnl.exe/ntoskrnl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
index 428e7006a44..3c18ee654a5 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.c
+++ b/dlls/ntoskrnl.exe/ntoskrnl.c
@@ -417,6 +417,7 @@ static NTSTATUS dispatch_ioctl( const irp_params_t *params, void *in_buff, ULONG
 {
     IRP *irp;
     void *out_buff = NULL;
+    void *to_free = NULL;
     DEVICE_OBJECT *device;
     FILE_OBJECT *file = wine_server_get_ptr( params->ioctl.file );
 
@@ -435,7 +436,7 @@ static NTSTATUS dispatch_ioctl( const irp_params_t *params, void *in_buff, ULONG
         if ((params->ioctl.code & 3) == METHOD_BUFFERED)
         {
             memcpy( out_buff, in_buff, in_size );
-            HeapFree( GetProcessHeap(), 0, in_buff );
+            to_free = in_buff;
             in_buff = out_buff;
         }
     }
@@ -455,6 +456,7 @@ static NTSTATUS dispatch_ioctl( const irp_params_t *params, void *in_buff, ULONG
     irp->Flags |= IRP_DEALLOCATE_BUFFER;  /* deallocate in_buff */
     dispatch_irp( device, irp, irp_handle );
 
+    HeapFree( GetProcessHeap(), 0, to_free );
     return STATUS_SUCCESS;
 }
 
-- 
2.11.4.GIT