From: Brock York <twunknown@gmail.com>
Subject: [PATCH] msctf: Remove incorrect dereference of double pointer.
Message-Id: <20161209140548.22830-1-twunknown@gmail.com>
Date: Sat, 10 Dec 2016 01:05:48 +1100

Fixes https://bugs.winehq.org/show_bug.cgi?id=41252

ThreadMgr_QueryInterface is expecting ppvOut to be a pointer to a pointer.
When UIElementMgr_QueryInterface calls the ThreadMgr_QueryInterface
function it derefences the void **ppvOut making it a void *ppvOut
when passing it in. When ThreadMgr_QueryInterface attempts to dereference
this pointer to assign a pointer to it, it is instead accessing the value ppvOut
is suppose to be pointing at. When the pointer ppvOut points to is
NULL this causes a null pointer dereference

Tested on Arch Linux

Signed-off-by: Brock York <twunknown@gmail.com>
---
 dlls/msctf/threadmgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlls/msctf/threadmgr.c b/dlls/msctf/threadmgr.c
index e1f56f1..62ddfd2 100644
--- a/dlls/msctf/threadmgr.c
+++ b/dlls/msctf/threadmgr.c
@@ -1187,7 +1187,7 @@ static HRESULT WINAPI UIElementMgr_QueryInterface(ITfUIElementMgr *iface, REFIID
 {
     ThreadMgr *This = impl_from_ITfUIElementMgr(iface);
 
-    return ITfThreadMgrEx_QueryInterface(&This->ITfThreadMgrEx_iface, iid, *ppvOut);
+    return ITfThreadMgrEx_QueryInterface(&This->ITfThreadMgrEx_iface, iid, ppvOut);
 }
 
 static ULONG WINAPI UIElementMgr_AddRef(ITfUIElementMgr *iface)

-- 
2.10.2