Bad free error involving shdocvw and COM?

[Dan Kegel]

In shdocvw/tests/webbrowser.c, at the end of test_WebBrowser,
the call IUnknown_Release(unk) results in the following Valgrind error:

 Invalid free() / delete / delete[]
    at  notify_free (heap.c:199)
    by  RtlFreeHeap (heap.c:1284)
    by  SysFreeString (oleaut.c:196)
    by  DocHost_Release (dochost.c:550)
    by  WebBrowser_Release (webbrowser.c:153)
    by  test_WebBrowser (webbrowser.c:2028)
    by  func_webbrowser (webbrowser.c:2070)
    by  run_test (test.h:421)
    by  main (test.h:470)
  Address 0x7f01dc14 is 8 bytes after a block of size 28 alloc'd
    at  notify_alloc (heap.c:191)
    by  RtlAllocateHeap (heap.c:1231)
    by  COMPOBJ_DllList_Add (compobj.c:910)
    by  apartment_getclassobject (compobj.c:794)
    by  get_inproc_class_object (compobj.c:2138)
    by  CoGetClassObject (compobj.c:2238)
    by  get_protocol_cf (session.c:111)
    by  get_protocol_info (session.c:219)
    by  parse_canonicalize_url (internet.c:63)
    by  CoInternetParseUrl (internet.c:184)
    by  URLMonikerImpl_Construct (umon.c:1039)
    by  CreateURLMonikerEx (umon.c:1097)
    by  CreateURLMoniker (umon.c:1123)
    by  create_moniker (navigate.c:564)
    by  bind_to_object (navigate.c:600)
    by  navigate_bsc (navigate.c:657)
    by  navigate_bsc_proc (navigate.c:679)
    by  process_dochost_task (dochost.c:43)
    by  shell_embedding_proc (oleobject.c:65)
    by  ??? (library.h:163)

Seems like an important bug to fix, since it could conceivably
lead to heap corruption.  This is all our code, no gecko involved,
so we ought to be able to sort it, but it's beyond my ken.