[PATCH 2/2] mshtml: Avoid passing invalid memory to DispCallFunc().

Zebediah Figura z.figura12 at gmail.com
Sun May 19 11:16:34 CDT 2019


Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=47222
Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
---
 dlls/mshtml/dispex.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/dlls/mshtml/dispex.c b/dlls/mshtml/dispex.c
index 2033e90872..c536430d97 100644
--- a/dlls/mshtml/dispex.c
+++ b/dlls/mshtml/dispex.c
@@ -1129,6 +1129,7 @@ static HRESULT builtin_propput(DispatchEx *This, func_info_t *func, DISPPARAMS *
 static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISPPARAMS *dp, VARIANT *res, IServiceProvider *caller)
 {
     VARIANT arg_buf[MAX_ARGS], *arg_ptrs[MAX_ARGS], *arg, retv, ret_ref, vhres;
+    VARTYPE arg_types[MAX_ARGS];
     unsigned i, nconv = 0;
     IUnknown *iface;
     HRESULT hres;
@@ -1181,6 +1182,8 @@ static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISP
                 IDispatch_Release(V_DISPATCH(arg_ptrs[i]));
             V_DISPATCH(arg_ptrs[i]) = iface;
         }
+
+        arg_types[i] = func->arg_types[i];
     }
 
     if(SUCCEEDED(hres)) {
@@ -1206,11 +1209,12 @@ static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISP
             default:
                 assert(0);
             }
+            arg_types[func->argc] = V_VT(&ret_ref);
         }
 
         V_VT(&vhres) = VT_ERROR;
         hres = DispCallFunc(iface, func->call_vtbl_off*sizeof(void*), CC_STDCALL, VT_ERROR,
-                    func->argc + (func->prop_vt == VT_VOID ? 0 : 1), func->arg_types, arg_ptrs, &vhres);
+                    func->argc + (func->prop_vt == VT_VOID ? 0 : 1), arg_types, arg_ptrs, &vhres);
     }
 
     while(nconv--)
-- 
2.21.0




More information about the wine-devel mailing list