From fb4f1d28ba4d2b0935ac56a3d37ea9fa52c5de51 Mon Sep 17 00:00:00 2001
From: John-Mark Bell <jmb@netsurf-browser.org>
Date: Sun, 22 Dec 2019 11:13:12 +0000
Subject: fix parent pointer use after free in RISC OS dialog handling

---
 frontends/riscos/dialog.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/frontends/riscos/dialog.c b/frontends/riscos/dialog.c
index 8a907eb24..f0bcb5940 100644
--- a/frontends/riscos/dialog.c
+++ b/frontends/riscos/dialog.c
@@ -335,12 +335,16 @@ void ro_gui_dialog_close(wimp_w close)
 {
 	int i;
 	wimp_caret caret;
+	wimp_w parent = -1;
 	os_error *error;
 
 	/* Check if we're a persistent window */
 	for (i = 0; i < MAX_PERSISTENT; i++) {
 		if (persistent_dialog[i].dialog == close) {
 			/* We are => invalidate record */
+			if (persistent_dialog[i].parent != NULL) {
+				parent = persistent_dialog[i].parent;
+			}
 			persistent_dialog[i].parent = NULL;
 			persistent_dialog[i].dialog = NULL;
 			break;
@@ -363,7 +367,7 @@ void ro_gui_dialog_close(wimp_w close)
 		/* Check if we are a persistent window */
 		if (i < MAX_PERSISTENT) {
 			error = xwimp_set_caret_position(
-					persistent_dialog[i].parent,
+					parent,
 					wimp_ICON_WINDOW, -100, -100,
 					32, -1);
 			/* parent may have been closed first */
-- 
cgit v1.2.3