From 37dc6df5eb4ef5a309f7960fce3462259f7e4e54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Bernon?= <rbernon@codeweavers.com>
Date: Mon, 18 Dec 2023 23:10:19 +0100
Subject: [PATCH] lsteamclient: Avoid accessing entry->callback.size after
 free.

Fixes a crash in Space Engineers.

CW-Bug-Id: #23145
---
 lsteamclient/unixlib.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lsteamclient/unixlib.cpp b/lsteamclient/unixlib.cpp
index ef44805d..81214dbc 100644
--- a/lsteamclient/unixlib.cpp
+++ b/lsteamclient/unixlib.cpp
@@ -231,6 +231,7 @@ NTSTATUS ISteamClient_SteamClient020_Set_SteamAPI_CCheckCallbackRegisteredInProc
 NTSTATUS steamclient_next_callback( void *args )
 {
     struct steamclient_next_callback_params *params = (struct steamclient_next_callback_params *)args;
+    uint32_t capacity = params->size;
     struct list *ptr;
 
     pthread_mutex_lock( &callbacks_lock );
@@ -238,14 +239,13 @@ NTSTATUS steamclient_next_callback( void *args )
     {
         struct callback_entry *entry = LIST_ENTRY( ptr, struct callback_entry, entry );
 
-        if (entry->callback.size <= params->size)
+        params->size = entry->callback.size;
+        if (params->size <= capacity)
         {
-            memcpy( params->callback, &entry->callback, entry->callback.size );
+            memcpy( params->callback, &entry->callback, params->size );
             list_remove( &entry->entry );
             free( entry );
         }
-
-        params->size = entry->callback.size;
     }
     pthread_mutex_unlock( &callbacks_lock );