Browse files

Fix a use-after-free in sceKernelTerminateDeleteThread

  • Loading branch information...
hrydgard committed Dec 3, 2017
1 parent 4c114c1 commit d6b7cde71823993b0e4a424333fadde99666a7e0
Showing with 3 additions and 1 deletion.
  1. +3 −1 Core/HLE/sceKernelThread.cpp
@@ -2276,14 +2276,16 @@ int sceKernelTerminateDeleteThread(int threadID)
if (t)
bool wasStopped = t->isStopped();
uint32_t attr = t->nt.attr;
uint32_t uid = t->GetUID();
INFO_LOG(SCEKERNEL, "sceKernelTerminateDeleteThread(%i)", threadID);
error = __KernelDeleteThread(threadID, SCE_KERNEL_ERROR_THREAD_TERMINATED, "thread terminated with delete");
if (!wasStopped) {
// Set v0 before calling the handler, or it'll get lost.
__KernelThreadTriggerEvent((t->nt.attr & PSP_THREAD_ATTR_KERNEL) != 0, t->GetUID(), THREADEVENT_EXIT);
__KernelThreadTriggerEvent((attr & PSP_THREAD_ATTR_KERNEL) != 0, uid, THREADEVENT_EXIT);

This comment has been minimized.


unknownbrackets Dec 3, 2017


Hmm, we should make __KernelDeleteThread add it to pendingDeleteThreads in this case. Actually, maybe it should always be deleted later, I think (just could be a dangerous change, what with deallocating stack.) Just need to figure out the right place for pendingDeleteThreads.


return error;

0 comments on commit d6b7cde

Please sign in to comment.