Fix memory errors caused by invalid pointer access in Release() and broken ComPtr smart pointer implementation.

PCMan · PCMan · commit 4b6076759928 · 2017-05-04T00:23:53.000+08:00
diff --git a/ComPtr.h b/ComPtr.h
@@ -33,8 +33,8 @@ class ComPtr {
 	ComPtr(void): p_(NULL) {
 	}
 
-	ComPtr(T* p): p_(p) {
-		if(p_)
+	ComPtr(T* p, bool ref = true): p_(p) {
+		if(p_ && ref)
 			p_->AddRef();
 	}
 
@@ -81,12 +81,17 @@ class ComPtr {
 		return p_ < p;
 	}
 
+	ComPtr& operator = (const ComPtr& other) {
+		return operator = (other.p_);
+	}
+
 	ComPtr& operator = (T* p) {
-		if(p_)
-			p_->Release();
+		T* old = p_;
 		p_ = p;
 		if(p_)
 			p_->AddRef();
+		if (old)
+			old->Release();
 		return *this;
 	}
 
diff --git a/DisplayAttributeInfo.cpp b/DisplayAttributeInfo.cpp
@@ -62,10 +62,10 @@ STDMETHODIMP_(ULONG) DisplayAttributeInfo::AddRef(void) {
 
 STDMETHODIMP_(ULONG) DisplayAttributeInfo::Release(void) {
 	assert(refCount_ > 0);
-	--refCount_;
+	const ULONG newCount = --refCount_;
 	if(0 == refCount_)
 		delete this;
-	return refCount_;
+	return newCount;
 }
 
 // ITfDisplayAttributeInfo
diff --git a/DisplayAttributeInfoEnum.cpp b/DisplayAttributeInfoEnum.cpp
@@ -62,10 +62,10 @@ STDMETHODIMP_(ULONG) DisplayAttributeInfoEnum::AddRef(void) {
 
 STDMETHODIMP_(ULONG) DisplayAttributeInfoEnum::Release(void) {
 	assert(refCount_ > 0);
-	--refCount_;
-	if(0 == refCount_)
+	const ULONG newCount = --refCount_;
+	if (0 == refCount_)
 		delete this;
-	return refCount_;
+	return newCount;
 }
 
 
diff --git a/DisplayAttributeProvider.cpp b/DisplayAttributeProvider.cpp
@@ -61,10 +61,10 @@ STDMETHODIMP_(ULONG) DisplayAttributeProvider::AddRef(void) {
 
 STDMETHODIMP_(ULONG) DisplayAttributeProvider::Release(void) {
 	assert(refCount_ > 0);
-	--refCount_;
-	if(0 == refCount_)
+	const ULONG newCount = --refCount_;
+	if (0 == refCount_)
 		delete this;
-	return refCount_;
+	return newCount;
 }
 
 
diff --git a/EditSession.cpp b/EditSession.cpp
@@ -67,10 +67,10 @@ STDMETHODIMP_(ULONG) EditSession::AddRef(void) {
 
 STDMETHODIMP_(ULONG) EditSession::Release(void) {
 	assert(refCount_ > 0);
-	--refCount_;
-	if(0 == refCount_)
+	const ULONG newCount = --refCount_;
+	if (0 == refCount_)
 		delete this;
-	return refCount_;
+	return newCount;
 }
 
 STDMETHODIMP EditSession::DoEditSession(TfEditCookie ec) {
diff --git a/ImeModule.cpp b/ImeModule.cpp
@@ -505,10 +505,11 @@ STDMETHODIMP_(ULONG) ImeModule::Release(void) {
 	// The last reference is released in DllMain() when unloading.
 	// Hence interlocked operations are enough here, I guess.
 	assert(refCount_ > 0);
+	const ULONG newCount = --refCount_;
 	if(::InterlockedExchangeSubtract(&refCount_, 1) == 1) {
 		delete this;
 	}
-	return refCount_;
+	return newCount;
 }
 
 // IClassFactory
diff --git a/LangBarButton.cpp b/LangBarButton.cpp
@@ -212,10 +212,10 @@ STDMETHODIMP_(ULONG) LangBarButton::AddRef(void) {
 
 STDMETHODIMP_(ULONG) LangBarButton::Release(void) {
 	assert(refCount_ > 0);
-	--refCount_;
-	if(0 == refCount_)
+	const ULONG newCount = --refCount_;
+	if (0 == refCount_)
 		delete this;
-	return refCount_;
+	return newCount;
 }
 
 // ITfLangBarItem
diff --git a/TextService.cpp b/TextService.cpp
@@ -68,12 +68,6 @@ TextService::~TextService(void) {
 		}
 	}
 
-	if(!langBarButtons_.empty()) {
-		for(vector<LangBarButton*>::iterator it = langBarButtons_.begin(); it != langBarButtons_.end(); ++it) {
-			LangBarButton* button = *it;
-			button->Release();
-		}
-	}
 	if(langBarMgr_) {
 		langBarMgr_->UnadviseEventSink(langBarSinkCookie_);
 	}
@@ -108,31 +102,26 @@ DWORD TextService::langBarStatus() const {
 
 void TextService::addButton(LangBarButton* button) {
 	if(button) {
-		langBarButtons_.push_back(button);
-		button->AddRef();
+		langBarButtons_.emplace_back(button);
 		if(isActivated()) {
-			ITfLangBarItemMgr* langBarItemMgr;
+			ComPtr<ITfLangBarItemMgr> langBarItemMgr;
 			if(threadMgr_->QueryInterface(IID_ITfLangBarItemMgr, (void**)&langBarItemMgr) == S_OK) {
 				langBarItemMgr->AddItem(button);
-				langBarItemMgr->Release();
 			}
 		}
 	}
 }
 
 void TextService::removeButton(LangBarButton* button) {
 	if(button) {
-		vector<LangBarButton*>::iterator it;
-		it = find(langBarButtons_.begin(), langBarButtons_.end(), button);
+		auto it = find(langBarButtons_.begin(), langBarButtons_.end(), button);
 		if(it != langBarButtons_.end()) {
 			if(isActivated()) {
-				ITfLangBarItemMgr* langBarItemMgr;
+				ComPtr<ITfLangBarItemMgr> langBarItemMgr;
 				if(threadMgr_->QueryInterface(IID_ITfLangBarItemMgr, (void**)&langBarItemMgr) == S_OK) {
 					langBarItemMgr->RemoveItem(button);
-					langBarItemMgr->Release();
 				}
 			}
-			button->Release();
 			langBarButtons_.erase(it);
 		}
 	}
@@ -621,13 +610,13 @@ STDMETHODIMP_(ULONG) TextService::AddRef(void) {
 
 STDMETHODIMP_(ULONG) TextService::Release(void) {
 	assert(refCount_ > 0);
-	--refCount_;
+	const ULONG newCount = --refCount_;
 	if(0 == refCount_) {
 		// ImeModule needs to do some clean up before deleting the TextService object.
 		module_->removeTextService(this);
 		delete this;
 	}
-	return refCount_;
+	return newCount;
 }
 
 // ITfTextInputProcessor
@@ -700,8 +689,7 @@ STDMETHODIMP TextService::Activate(ITfThreadMgr *pThreadMgr, TfClientId tfClient
 	if(!langBarButtons_.empty()) {
 		ComPtr<ITfLangBarItemMgr> langBarItemMgr;
 		if(threadMgr_->QueryInterface(IID_ITfLangBarItemMgr, (void**)&langBarItemMgr) == S_OK) {
-			for(vector<LangBarButton*>::iterator it = langBarButtons_.begin(); it != langBarButtons_.end(); ++it) {
-				LangBarButton* button = *it;
+			for(auto& button: langBarButtons_) {
 				langBarItemMgr->AddItem(button);
 			}
 		}
@@ -729,8 +717,7 @@ STDMETHODIMP TextService::Deactivate() {
 	if(!langBarButtons_.empty()) {
 		ComPtr<ITfLangBarItemMgr> langBarItemMgr;
 		if(threadMgr_->QueryInterface(IID_ITfLangBarItemMgr, (void**)&langBarItemMgr) == S_OK) {
-			for(vector<LangBarButton*>::iterator it = langBarButtons_.begin(); it != langBarButtons_.end(); ++it) {
-				LangBarButton* button = *it;
+			for(auto& button: langBarButtons_) {
 				langBarItemMgr->RemoveItem(button);
 			}
 		}
diff --git a/TextService.h b/TextService.h
@@ -305,7 +305,7 @@ class TextService:
 
 	ITfComposition* composition_; // acquired when starting composition, released when ending composition
 	ComPtr<ITfLangBarMgr> langBarMgr_;
-	std::vector<LangBarButton*> langBarButtons_;
+	std::vector<ComPtr<LangBarButton>> langBarButtons_;
 	std::vector<PreservedKey> preservedKeys_;
 	std::vector<CompartmentMonitor> compartmentMonitors_;
 

Original file line number	Diff line number	Diff line change
`@@ -505,10 +505,11 @@ STDMETHODIMP_(ULONG) ImeModule::Release(void) {`
`505`	`505`	`// The last reference is released in DllMain() when unloading.`
`506`	`506`	`// Hence interlocked operations are enough here, I guess.`
`507`	`507`	`assert(refCount_ > 0);`
	`508`	`+ const ULONG newCount = --refCount_;`
`508`	`509`	`if(::InterlockedExchangeSubtract(&refCount_, 1) == 1) {`
`509`	`510`	`delete this;`
`510`	`511`	`}`
`511`		`- return refCount_;`
	`512`	`+ return newCount;`
`512`	`513`	`}`
`513`	`514`
`514`	`515`	`// IClassFactory`
Original file line number	Diff line number	Diff line change
`@@ -68,12 +68,6 @@ TextService::~TextService(void) {`
`68`	`68`	`}`
`69`	`69`	`}`
`70`	`70`
`71`		`- if(!langBarButtons_.empty()) {`
`72`		`- for(vector<LangBarButton*>::iterator it = langBarButtons_.begin(); it != langBarButtons_.end(); ++it) {`
`73`		`- LangBarButton* button = *it;`
`74`		`- button->Release();`
`75`		`- }`
`76`		`- }`
`77`	`71`	`if(langBarMgr_) {`
`78`	`72`	`langBarMgr_->UnadviseEventSink(langBarSinkCookie_);`
`79`	`73`	`}`
`@@ -108,31 +102,26 @@ DWORD TextService::langBarStatus() const {`
`108`	`102`
`109`	`103`	`void TextService::addButton(LangBarButton* button) {`
`110`	`104`	`if(button) {`
`111`		`- langBarButtons_.push_back(button);`
`112`		`- button->AddRef();`
	`105`	`+ langBarButtons_.emplace_back(button);`
`113`	`106`	`if(isActivated()) {`
`114`		`- ITfLangBarItemMgr* langBarItemMgr;`
	`107`	`+ ComPtr<ITfLangBarItemMgr> langBarItemMgr;`
`115`	`108`	`if(threadMgr_->QueryInterface(IID_ITfLangBarItemMgr, (void**)&langBarItemMgr) == S_OK) {`
`116`	`109`	`langBarItemMgr->AddItem(button);`
`117`		`- langBarItemMgr->Release();`
`118`	`110`	`}`
`119`	`111`	`}`
`120`	`112`	`}`
`121`	`113`	`}`
`122`	`114`
`123`	`115`	`void TextService::removeButton(LangBarButton* button) {`
`124`	`116`	`if(button) {`
`125`		`- vector<LangBarButton*>::iterator it;`
`126`		`- it = find(langBarButtons_.begin(), langBarButtons_.end(), button);`
	`117`	`+ auto it = find(langBarButtons_.begin(), langBarButtons_.end(), button);`
`127`	`118`	`if(it != langBarButtons_.end()) {`
`128`	`119`	`if(isActivated()) {`
`129`		`- ITfLangBarItemMgr* langBarItemMgr;`
	`120`	`+ ComPtr<ITfLangBarItemMgr> langBarItemMgr;`
`130`	`121`	`if(threadMgr_->QueryInterface(IID_ITfLangBarItemMgr, (void**)&langBarItemMgr) == S_OK) {`
`131`	`122`	`langBarItemMgr->RemoveItem(button);`
`132`		`- langBarItemMgr->Release();`
`133`	`123`	`}`
`134`	`124`	`}`
`135`		`- button->Release();`
`136`	`125`	`langBarButtons_.erase(it);`
`137`	`126`	`}`
`138`	`127`	`}`
`@@ -621,13 +610,13 @@ STDMETHODIMP_(ULONG) TextService::AddRef(void) {`
`621`	`610`
`622`	`611`	`STDMETHODIMP_(ULONG) TextService::Release(void) {`
`623`	`612`	`assert(refCount_ > 0);`
`624`		`- --refCount_;`
	`613`	`+ const ULONG newCount = --refCount_;`
`625`	`614`	`if(0 == refCount_) {`
`626`	`615`	`// ImeModule needs to do some clean up before deleting the TextService object.`
`627`	`616`	`module_->removeTextService(this);`
`628`	`617`	`delete this;`
`629`	`618`	`}`
`630`		`- return refCount_;`
	`619`	`+ return newCount;`
`631`	`620`	`}`
`632`	`621`
`633`	`622`	`// ITfTextInputProcessor`
`@@ -700,8 +689,7 @@ STDMETHODIMP TextService::Activate(ITfThreadMgr *pThreadMgr, TfClientId tfClient`
`700`	`689`	`if(!langBarButtons_.empty()) {`
`701`	`690`	`ComPtr<ITfLangBarItemMgr> langBarItemMgr;`
`702`	`691`	`if(threadMgr_->QueryInterface(IID_ITfLangBarItemMgr, (void**)&langBarItemMgr) == S_OK) {`
`703`		`- for(vector<LangBarButton*>::iterator it = langBarButtons_.begin(); it != langBarButtons_.end(); ++it) {`
`704`		`- LangBarButton* button = *it;`
	`692`	`+ for(auto& button: langBarButtons_) {`
`705`	`693`	`langBarItemMgr->AddItem(button);`
`706`	`694`	`}`
`707`	`695`	`}`
`@@ -729,8 +717,7 @@ STDMETHODIMP TextService::Deactivate() {`
`729`	`717`	`if(!langBarButtons_.empty()) {`
`730`	`718`	`ComPtr<ITfLangBarItemMgr> langBarItemMgr;`
`731`	`719`	`if(threadMgr_->QueryInterface(IID_ITfLangBarItemMgr, (void**)&langBarItemMgr) == S_OK) {`
`732`		`- for(vector<LangBarButton*>::iterator it = langBarButtons_.begin(); it != langBarButtons_.end(); ++it) {`
`733`		`- LangBarButton* button = *it;`
	`720`	`+ for(auto& button: langBarButtons_) {`
`734`	`721`	`langBarItemMgr->RemoveItem(button);`
`735`	`722`	`}`
`736`	`723`	`}`