From: Jérôme Gardou <jerome.gardou@reactos.org>
Subject: rpcrt4: free parameters allocated by application before anything else.
Message-Id: <539EF735.2060206@reactos.org>
Date: Mon, 16 Jun 2014 15:55:01 +0200

The freer function calculates conformance and variance using values in 
parameters which can be freed earlier in the loop, so it is necessary to 
free those before anything else.
See http://bugs.winehq.org/show_bug.cgi?id=36743 for details.

---
  dlls/rpcrt4/ndr_stubless.c | 19 ++++++++++++++-----
  1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/dlls/rpcrt4/ndr_stubless.c b/dlls/rpcrt4/ndr_stubless.c
index 9c07f4e..157125e 100644
--- a/dlls/rpcrt4/ndr_stubless.c
+++ b/dlls/rpcrt4/ndr_stubless.c
@@ -1100,6 +1100,19 @@ static LONG_PTR *stub_do_args(MIDL_STUB_MESSAGE *pStubMsg,
     unsigned int i;
     LONG_PTR *retval_ptr = NULL;
 
+    if (phase == STUBLESS_FREE)
+    {
+        /* Process the params allocated by the application first */
+        for (i = 0; i < number_of_params; i++)
+        {
+            unsigned char *pArg = pStubMsg->StackTop + params[i].stack_offset;
+            if (params[i].attr.MustFree)
+            {
+                call_freer(pStubMsg, pArg, &params[i]);
+            }
+        }
+    }
+
     for (i = 0; i < number_of_params; i++)
     {
         unsigned char *pArg = pStubMsg->StackTop + params[i].stack_offset;
@@ -1117,11 +1130,7 @@ static LONG_PTR *stub_do_args(MIDL_STUB_MESSAGE *pStubMsg,
                 call_marshaller(pStubMsg, pArg, &params[i]);
             break;
         case STUBLESS_FREE:
-            if (params[i].attr.MustFree)
-            {
-                call_freer(pStubMsg, pArg, &params[i]);
-            }
-            else if (params[i].attr.ServerAllocSize)
+            if (params[i].attr.ServerAllocSize)
             {
                 HeapFree(GetProcessHeap(), 0, *(void **)pArg);
             }