[PATCH v2 2/2] mshtml: Avoid passing invalid memory to DispCallFunc().

[Zebediah Figura]

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=47222
Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
---
 dlls/mshtml/dispex.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/dlls/mshtml/dispex.c b/dlls/mshtml/dispex.c
index 2033e90872..88a5e5168e 100644
--- a/dlls/mshtml/dispex.c
+++ b/dlls/mshtml/dispex.c
@@ -1129,6 +1129,7 @@ static HRESULT builtin_propput(DispatchEx *This, func_info_t *func, DISPPARAMS *
 static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISPPARAMS *dp, VARIANT *res, IServiceProvider *caller)
 {
     VARIANT arg_buf[MAX_ARGS], *arg_ptrs[MAX_ARGS], *arg, retv, ret_ref, vhres;
+    VARTYPE arg_types[MAX_ARGS];
     unsigned i, nconv = 0;
     IUnknown *iface;
     HRESULT hres;
@@ -1149,6 +1150,7 @@ static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISP
 
     for(i=0; i < func->argc; i++) {
         BOOL own_value = FALSE;
+        arg_types[i] = func->arg_types[i];
         if(i >= dp->cArgs) {
             /* use default value */
             arg_ptrs[i] = &func->arg_info[i].default_value;
@@ -1206,11 +1208,12 @@ static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISP
             default:
                 assert(0);
             }
+            arg_types[func->argc] = V_VT(&ret_ref);
         }
 
         V_VT(&vhres) = VT_ERROR;
         hres = DispCallFunc(iface, func->call_vtbl_off*sizeof(void*), CC_STDCALL, VT_ERROR,
-                    func->argc + (func->prop_vt == VT_VOID ? 0 : 1), func->arg_types, arg_ptrs, &vhres);
+                    func->argc + (func->prop_vt == VT_VOID ? 0 : 1), arg_types, arg_ptrs, &vhres);
     }
 
     while(nconv--)
-- 
2.21.0