From c5f802363fb00b443f3bc98eeb7295ce52d34537 Mon Sep 17 00:00:00 2001
From: Sebastian Lackner <sebastian@fds-team.de>
Date: Sat, 13 Sep 2014 17:27:01 +0200
Subject: [PATCH] riched20-IText_Interface: Added patch to fix invalid memory
 access when parent object was destroyed before child object.

---
 patches/Makefile                              |  1 +
 ...alid-memory-access-when-parent-objec.patch | 63 +++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 patches/riched20-IText_Interface/0014-riched20-Fix-invalid-memory-access-when-parent-objec.patch

diff --git a/patches/Makefile b/patches/Makefile
index 701360d1..a7a86814 100644
--- a/patches/Makefile
+++ b/patches/Makefile
@@ -740,6 +740,7 @@ riched20-IText_Interface.ok:
 	$(call APPLY_FILE,riched20-IText_Interface/0011-riched20-Implement-ITextRange-IsEqual.patch)
 	$(call APPLY_FILE,riched20-IText_Interface/0012-riched20-Implement-ITextRange-GetStoryLength.patch)
 	$(call APPLY_FILE,riched20-IText_Interface/0013-riched20-Implement-ITextSelection-GetStoryLength.patch)
+	$(call APPLY_FILE,riched20-IText_Interface/0014-riched20-Fix-invalid-memory-access-when-parent-objec.patch)
 	@( \
 		echo '+    { "riched20-IText_Interface", "Jactry Zeng", "Implement Stubs for ITextRange interface. [rev 3]" },'; \
 		echo '+    { "riched20-IText_Interface", "Jactry Zeng", "Implement Stubs for ITextFont interface. [rev 2]" },'; \
diff --git a/patches/riched20-IText_Interface/0014-riched20-Fix-invalid-memory-access-when-parent-objec.patch b/patches/riched20-IText_Interface/0014-riched20-Fix-invalid-memory-access-when-parent-objec.patch
new file mode 100644
index 00000000..2faa3bdb
--- /dev/null
+++ b/patches/riched20-IText_Interface/0014-riched20-Fix-invalid-memory-access-when-parent-objec.patch
@@ -0,0 +1,63 @@
+From ed3dbf533bbfdbb7bfb05135f60ea6ef214c7f3a Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sat, 13 Sep 2014 17:21:31 +0200
+Subject: riched20: Fix invalid memory access when parent object was destroyed
+ earlier than child object.
+
+---
+ dlls/riched20/richole.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/dlls/riched20/richole.c b/dlls/riched20/richole.c
+index 8c64492..b9ff71f 100644
+--- a/dlls/riched20/richole.c
++++ b/dlls/riched20/richole.c
+@@ -528,10 +528,13 @@ static ULONG WINAPI ITextPara_fnRelease(ITextPara *me)
+             ITextRange_Release(&This->txtRge->ITextRange_iface);
+         else
+             ITextSelection_Release(&This->txtSel->ITextSelection_iface);
+-        This->reOle = NULL;
+         This->txtRge = NULL;
+         This->txtSel = NULL;
+-        list_remove(&This->entry);
++        if (This->reOle)
++        {
++            list_remove(&This->entry);
++            This->reOle = NULL;
++        }
+         heap_free(This);
+     }
+     return ref;
+@@ -1163,10 +1166,13 @@ static ULONG WINAPI ITextFont_fnRelease(ITextFont *me)
+             ITextRange_Release(&This->txtRge->ITextRange_iface);
+         else
+             ITextSelection_Release(&This->txtSel->ITextSelection_iface);
+-        This->reOle = NULL;
+         This->txtRge = NULL;
+         This->txtSel = NULL;
+-        list_remove(&This->entry);
++        if (This->reOle)
++        {
++            list_remove(&This->entry);
++            This->reOle = NULL;
++        }
+         heap_free(This);
+     }
+     return ref;
+@@ -1897,8 +1903,11 @@ static ULONG WINAPI ITextRange_fnRelease(ITextRange *me)
+     TRACE ("%p ref=%u\n", This, ref);
+     if (ref == 0)
+     {
+-        This->reOle = NULL;
+-        list_remove(&This->entry);
++        if (This->reOle)
++        {
++            list_remove(&This->entry);
++            This->reOle = NULL;
++        }
+         heap_free(This);
+     }
+     return ref;
+-- 
+2.1.0
+