From d431111b0647278d2bc234e9e6551c0b7e6c2b6f Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Mon, 21 Aug 2017 17:34:27 +0200
Subject: win32: fix massive memory corruption

The struct m_thread_info pointer is part of an array, that will be
reallocated if another thread is created while the run_thread is just
being called. In previous versions of this code, the pointer was stable
(as long as the thread existed), so this was overlooked.

Fixes #4770. I'm not sure why this triggers it so reliably, while it
remained undetected otherwise.
---
 osdep/win32/pthread.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/osdep/win32/pthread.c b/osdep/win32/pthread.c
index dfc70288ac..d4a5ddc22a 100644
--- a/osdep/win32/pthread.c
+++ b/osdep/win32/pthread.c
@@ -205,7 +205,11 @@ int pthread_detach(pthread_t thread)
 
 static DWORD WINAPI run_thread(LPVOID lpParameter)
 {
-    struct m_thread_info *info = lpParameter;
+    pthread_mutex_lock(&pthread_table_lock);
+    struct m_thread_info *info = find_thread_info(pthread_self());
+    assert(info);
+    pthread_mutex_unlock(&pthread_table_lock);
+
     pthread_exit(info->user_fn(info->user_arg));
     abort(); // not reached
 }
@@ -228,7 +232,7 @@ int pthread_create(pthread_t *thread, const pthread_attr_t *attr,
         .user_fn = start_routine,
         .user_arg = arg,
     };
-    info->handle = CreateThread(NULL, 0, run_thread, info, CREATE_SUSPENDED,
+    info->handle = CreateThread(NULL, 0, run_thread, NULL, CREATE_SUSPENDED,
                                 &info->id);
     if (!info->handle) {
         remove_thread_info(info);
-- 
cgit v1.2.3