[PATCH 2/2] mshtml: Avoid passing invalid memory to DispCallFunc().
Zebediah Figura
z.figura12 at gmail.com
Sun May 19 11:16:34 CDT 2019
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=47222
Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
---
dlls/mshtml/dispex.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/dlls/mshtml/dispex.c b/dlls/mshtml/dispex.c
index 2033e90872..c536430d97 100644
--- a/dlls/mshtml/dispex.c
+++ b/dlls/mshtml/dispex.c
@@ -1129,6 +1129,7 @@ static HRESULT builtin_propput(DispatchEx *This, func_info_t *func, DISPPARAMS *
static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISPPARAMS *dp, VARIANT *res, IServiceProvider *caller)
{
VARIANT arg_buf[MAX_ARGS], *arg_ptrs[MAX_ARGS], *arg, retv, ret_ref, vhres;
+ VARTYPE arg_types[MAX_ARGS];
unsigned i, nconv = 0;
IUnknown *iface;
HRESULT hres;
@@ -1181,6 +1182,8 @@ static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISP
IDispatch_Release(V_DISPATCH(arg_ptrs[i]));
V_DISPATCH(arg_ptrs[i]) = iface;
}
+
+ arg_types[i] = func->arg_types[i];
}
if(SUCCEEDED(hres)) {
@@ -1206,11 +1209,12 @@ static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISP
default:
assert(0);
}
+ arg_types[func->argc] = V_VT(&ret_ref);
}
V_VT(&vhres) = VT_ERROR;
hres = DispCallFunc(iface, func->call_vtbl_off*sizeof(void*), CC_STDCALL, VT_ERROR,
- func->argc + (func->prop_vt == VT_VOID ? 0 : 1), func->arg_types, arg_ptrs, &vhres);
+ func->argc + (func->prop_vt == VT_VOID ? 0 : 1), arg_types, arg_ptrs, &vhres);
}
while(nconv--)
--
2.21.0
More information about the wine-devel
mailing list