From: Zhiyi Zhang <zzhang@codeweavers.com>
Subject: [PATCH] riched20: Fix a use after free.
Message-Id: <7c53ebaf-ef86-db7e-ac80-bd8b2818d7d5@codeweavers.com>
Date: Wed, 2 Jan 2019 00:03:29 +0800

In ME_DestroyEditor(), the item list is being freed when
calling get_total_width() in destroy_para().

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=46328
Signed-off-by: Zhiyi Zhang <zzhang@codeweavers.com>
---
 dlls/riched20/editor.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c
index 9bacc6315d..2bb285866b 100644
--- a/dlls/riched20/editor.c
+++ b/dlls/riched20/editor.c
@@ -3183,13 +3183,13 @@ ME_TextEditor *ME_MakeEditor(ITextHost *texthost, BOOL bEmulateVersion10)
 
 void ME_DestroyEditor(ME_TextEditor *editor)
 {
-  ME_DisplayItem *pFirst = editor->pBuffer->pFirst;
-  ME_DisplayItem *p = pFirst, *pNext = NULL;
+  ME_DisplayItem *p = editor->pBuffer->pFirst, *pNext = NULL;
   ME_Style *s, *cursor2;
   int i;
 
   ME_ClearTempStyle(editor);
   ME_EmptyUndoStack(editor);
+  editor->pBuffer->pFirst = NULL;
   while(p) {
     pNext = p->next;
     if (p->type == diParagraph)

-- 
2.19.2