From 55ad3fdda2453d36cda66f286b08cf5620c02523 Mon Sep 17 00:00:00 2001 From: Hans Leidekker Date: Mon, 20 Apr 2009 16:09:12 +0200 Subject: [PATCH] msi: Fix another double free. parser_alloc() allocates memory and puts it on a list attached the to query object. EXPR_sval() frees memory allocated via parser_alloc() on error but does not remove the pointer from the list, which means that when the query destructor is called it will be freed again. --- dlls/msi/sql.y | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/dlls/msi/sql.y b/dlls/msi/sql.y index 425b584ae69..d71c1861ccc 100644 --- a/dlls/msi/sql.y +++ b/dlls/msi/sql.y @@ -876,10 +876,7 @@ static struct expr * EXPR_sval( void *info, const struct sql_str *str ) { e->type = EXPR_SVAL; if( SQL_getstring( info, str, (LPWSTR *)&e->u.sval ) != ERROR_SUCCESS ) - { - msi_free( e ); - return NULL; - } + return NULL; /* e will be freed by query destructor */ } return e; } -- 2.11.4.GIT