[PATCH v2 2/2] mshtml: Avoid passing invalid memory to DispCallFunc().
Zebediah Figura
z.figura12 at gmail.com
Sun May 19 14:40:41 CDT 2019
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=47222
Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
---
dlls/mshtml/dispex.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/dlls/mshtml/dispex.c b/dlls/mshtml/dispex.c
index 2033e90872..88a5e5168e 100644
--- a/dlls/mshtml/dispex.c
+++ b/dlls/mshtml/dispex.c
@@ -1129,6 +1129,7 @@ static HRESULT builtin_propput(DispatchEx *This, func_info_t *func, DISPPARAMS *
static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISPPARAMS *dp, VARIANT *res, IServiceProvider *caller)
{
VARIANT arg_buf[MAX_ARGS], *arg_ptrs[MAX_ARGS], *arg, retv, ret_ref, vhres;
+ VARTYPE arg_types[MAX_ARGS];
unsigned i, nconv = 0;
IUnknown *iface;
HRESULT hres;
@@ -1149,6 +1150,7 @@ static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISP
for(i=0; i < func->argc; i++) {
BOOL own_value = FALSE;
+ arg_types[i] = func->arg_types[i];
if(i >= dp->cArgs) {
/* use default value */
arg_ptrs[i] = &func->arg_info[i].default_value;
@@ -1206,11 +1208,12 @@ static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISP
default:
assert(0);
}
+ arg_types[func->argc] = V_VT(&ret_ref);
}
V_VT(&vhres) = VT_ERROR;
hres = DispCallFunc(iface, func->call_vtbl_off*sizeof(void*), CC_STDCALL, VT_ERROR,
- func->argc + (func->prop_vt == VT_VOID ? 0 : 1), func->arg_types, arg_ptrs, &vhres);
+ func->argc + (func->prop_vt == VT_VOID ? 0 : 1), arg_types, arg_ptrs, &vhres);
}
while(nconv--)
--
2.21.0
More information about the wine-devel
mailing list