From 26319006acafde23118c2fd566525a8c2864e748 Mon Sep 17 00:00:00 2001
From: chunseok lee <chunseok.lee@samsung.com>
Date: Wed, 13 Dec 2017 12:24:34 +0900
Subject: [PATCH] Fix uaf in DestroyThread function

upstream cherrypick : 14f609a711f61c0724
From: Konstantin Baladurin <k.baladurin@partner.samsung.com>
Date: Fri, 8 Dec 2017 15:28:40 +0300
Subject: Fix uaf in DestroyThread function.

Mark thread's buffers as no longer owned before calling
Thread::OnThreadTerminate because thread can delete itself in
this method.

Signed-off-by: chunseok lee <chunseok.lee@samsung.com>
---
 src/vm/threads.cpp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/vm/threads.cpp b/src/vm/threads.cpp
index df8916c..59633fe 100644
--- a/src/vm/threads.cpp
+++ b/src/vm/threads.cpp
@@ -987,12 +987,6 @@ void DestroyThread(Thread *th)
 #endif // _TARGET_X86_
 #endif // WIN64EXCEPTIONS
 
-    if (g_fEEShutDown == 0) 
-    {
-        th->SetThreadState(Thread::TS_ReportDead);
-        th->OnThreadTerminate(FALSE);
-    }
-
 #ifdef FEATURE_PERFTRACING
     // Before the thread dies, mark its buffers as no longer owned
     // so that they can be cleaned up after the thread dies.
@@ -1002,6 +996,12 @@ void DestroyThread(Thread *th)
         pBufferList->SetOwnedByThread(false);
     }
 #endif // FEATURE_PERFTRACING
+
+    if (g_fEEShutDown == 0)
+    {
+        th->SetThreadState(Thread::TS_ReportDead);
+        th->OnThreadTerminate(FALSE);
+    }
 }
 
 //-------------------------------------------------------------------------
-- 
2.7.4