d3d9: Fix crash in d3d9_vertexbuffer_Release().

If there is no draw buffer then buffer pointer gets freed in
wined3d_buffer_decref() via d3d9_vertexbuffer_wined3d_parent_ops
and consequent check for buffer->draw_buffer results in freed
memory access.

Signed-off-by: Paul Gofman <gofmanp@gmail.com>
Signed-off-by: Henri Verbeet <hverbeet@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>

dlls/d3d9/buffer.c

@@ -76,12 +76,13 @@ static ULONG WINAPI d3d9_vertexbuffer_Release(IDirect3DVertexBuffer9 *iface)
 
     if (!refcount)
     {
+        struct wined3d_buffer *draw_buffer = buffer->draw_buffer;
         IDirect3DDevice9Ex *device = buffer->parent_device;
 
         wined3d_mutex_lock();
         wined3d_buffer_decref(buffer->wined3d_buffer);
-        if (buffer->draw_buffer)
-            wined3d_buffer_decref(buffer->draw_buffer);
+        if (draw_buffer)
+            wined3d_buffer_decref(draw_buffer);
         wined3d_mutex_unlock();
 
         /* Release the device last, as it may cause the device to be destroyed. */