Fix crash due to UAF

yungcomputerchair · yungcomputerchair · commit ec0d4b9c65ab · 2026-05-08T17:51:10.000-07:00
diff --git a/requests.c b/requests.c
@@ -570,9 +570,11 @@ VOID CALLBACK
 handle_request(PTP_CALLBACK_INSTANCE inst, void *reqArg, PTP_WORK work)
 {
     Request *req;
+    HANDLE doneEvent;
     bool done;
 
     req = (Request *)reqArg;
+    doneEvent = req->doneEvent;
     done = false;
     while (!done) {
         if (req->source == REQ_SRC_UNSET) {
@@ -602,8 +604,8 @@ handle_request(PTP_CALLBACK_INSTANCE inst, void *reqArg, PTP_WORK work)
         }
     }
 
-    if (req->doneEvent != INVALID_HANDLE_VALUE) {
-        SetEvent(req->doneEvent);
+    if (doneEvent != INVALID_HANDLE_VALUE) {
+        SetEvent(doneEvent);
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -570,9 +570,11 @@ VOID CALLBACK`
`570`	`570`	`handle_request(PTP_CALLBACK_INSTANCE inst, void *reqArg, PTP_WORK work)`
`571`	`571`	`{`
`572`	`572`	`Request *req;`
	`573`	`+ HANDLE doneEvent;`
`573`	`574`	`bool done;`
`574`	`575`
`575`	`576`	`req = (Request *)reqArg;`
	`577`	`+ doneEvent = req->doneEvent;`
`576`	`578`	`done = false;`
`577`	`579`	`while (!done) {`
`578`	`580`	`if (req->source == REQ_SRC_UNSET) {`
`@@ -602,8 +604,8 @@ handle_request(PTP_CALLBACK_INSTANCE inst, void *reqArg, PTP_WORK work)`
`602`	`604`	`}`
`603`	`605`	`}`
`604`	`606`
`605`		`- if (req->doneEvent != INVALID_HANDLE_VALUE) {`
`606`		`- SetEvent(req->doneEvent);`
	`607`	`+ if (doneEvent != INVALID_HANDLE_VALUE) {`
	`608`	`+ SetEvent(doneEvent);`
`607`	`609`	`}`
`608`	`610`	`}`
`609`	`611`