From: Thomas Faber <thomas.faber@reactos.org>
Subject: quartz: Destroy BaseFilter after child class. (with patch...)
Message-Id: <53CD64CC.3030201@reactos.org>
Date: Mon, 21 Jul 2014 21:06:52 +0200

For the AsyncReader, this is a use after free on the critical section
again.

The NullRenderer doesn't have any pins, so that change is mostly
cosmetical to align it with the other classes.

The Parser change fixes a memory leak in addition to the use after free,
because AVISplitter_Release manually decrements the refCount and calls
Parser_Destroy instead of using Parser_Release -- so the filter's
members were never released in this code path.

From 4df37980066b66b7e822188a46a97185bcd1cfbe Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Sat, 19 Jul 2014 10:29:54 +0200
Subject: quartz: Destroy BaseFilter after child class.

---
 dlls/quartz/filesource.c   | 3 ++-
 dlls/quartz/nullrenderer.c | 3 ++-
 dlls/quartz/parser.c       | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/dlls/quartz/filesource.c b/dlls/quartz/filesource.c
index a0af3a4..96d83a1 100644
--- a/dlls/quartz/filesource.c
+++ b/dlls/quartz/filesource.c
@@ -480,7 +480,7 @@ static HRESULT WINAPI AsyncReader_QueryInterface(IBaseFilter * iface, REFIID rii
 static ULONG WINAPI AsyncReader_Release(IBaseFilter * iface)
 {
     AsyncReader *This = impl_from_IBaseFilter(iface);
-    ULONG refCount = BaseFilterImpl_Release(iface);
+    ULONG refCount = InterlockedDecrement(&This->filter.refCount);
     
     TRACE("(%p)->() Release from %d\n", This, refCount + 1);
     
@@ -500,6 +500,7 @@ static ULONG WINAPI AsyncReader_Release(IBaseFilter * iface)
         CoTaskMemFree(This->pszFileName);
         if (This->pmt)
             FreeMediaType(This->pmt);
+        BaseFilter_Destroy(&This->filter);
         CoTaskMemFree(This);
         return 0;
     }
diff --git a/dlls/quartz/nullrenderer.c b/dlls/quartz/nullrenderer.c
index 16a24ac..7befc46 100644
--- a/dlls/quartz/nullrenderer.c
+++ b/dlls/quartz/nullrenderer.c
@@ -128,11 +128,12 @@ static ULONG WINAPI NullRendererInner_AddRef(IUnknown *iface)
 static ULONG WINAPI NullRendererInner_Release(IUnknown *iface)
 {
     NullRendererImpl *This = impl_from_IUnknown(iface);
-    ULONG refCount = BaseFilterImpl_Release(&This->renderer.filter.IBaseFilter_iface);
+    ULONG refCount = InterlockedDecrement(&This->renderer.filter.refCount);
 
     if (!refCount)
     {
         TRACE("Destroying Null Renderer\n");
+        BaseFilter_Destroy(&This->renderer.filter);
         CoTaskMemFree(This);
     }
 
diff --git a/dlls/quartz/parser.c b/dlls/quartz/parser.c
index f702c62..b57bae4 100644
--- a/dlls/quartz/parser.c
+++ b/dlls/quartz/parser.c
@@ -194,6 +194,7 @@ void Parser_Destroy(ParserImpl *This)
     }
 
     CoTaskMemFree(This->ppPins);
+    BaseFilter_Destroy(&This->filter);
 
     TRACE("Destroying parser\n");
     CoTaskMemFree(This);
@@ -202,7 +203,7 @@ void Parser_Destroy(ParserImpl *This)
 ULONG WINAPI Parser_Release(IBaseFilter * iface)
 {
     ParserImpl *This = impl_from_IBaseFilter(iface);
-    ULONG refCount = BaseFilterImpl_Release(iface);
+    ULONG refCount = InterlockedDecrement(&This->filter.refCount);
 
     TRACE("(%p)->() Release from %d\n", This, refCount + 1);
 
-- 
1.9.0.msysgit.0