From: Zebediah Figura Subject: [PATCH 2/2] mshtml: Avoid passing invalid memory to DispCallFunc(). Message-Id: <20190519161634.32720-2-z.figura12@gmail.com> Date: Sun, 19 May 2019 11:16:34 -0500 In-Reply-To: <20190519161634.32720-1-z.figura12@gmail.com> References: <20190519161634.32720-1-z.figura12@gmail.com> Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=47222 Signed-off-by: Zebediah Figura --- dlls/mshtml/dispex.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/dlls/mshtml/dispex.c b/dlls/mshtml/dispex.c index 2033e90872..c536430d97 100644 --- a/dlls/mshtml/dispex.c +++ b/dlls/mshtml/dispex.c @@ -1129,6 +1129,7 @@ static HRESULT builtin_propput(DispatchEx *This, func_info_t *func, DISPPARAMS * static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISPPARAMS *dp, VARIANT *res, IServiceProvider *caller) { VARIANT arg_buf[MAX_ARGS], *arg_ptrs[MAX_ARGS], *arg, retv, ret_ref, vhres; + VARTYPE arg_types[MAX_ARGS]; unsigned i, nconv = 0; IUnknown *iface; HRESULT hres; @@ -1181,6 +1182,8 @@ static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISP IDispatch_Release(V_DISPATCH(arg_ptrs[i])); V_DISPATCH(arg_ptrs[i]) = iface; } + + arg_types[i] = func->arg_types[i]; } if(SUCCEEDED(hres)) { @@ -1206,11 +1209,12 @@ static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISP default: assert(0); } + arg_types[func->argc] = V_VT(&ret_ref); } V_VT(&vhres) = VT_ERROR; hres = DispCallFunc(iface, func->call_vtbl_off*sizeof(void*), CC_STDCALL, VT_ERROR, - func->argc + (func->prop_vt == VT_VOID ? 0 : 1), func->arg_types, arg_ptrs, &vhres); + func->argc + (func->prop_vt == VT_VOID ? 0 : 1), arg_types, arg_ptrs, &vhres); } while(nconv--) -- 2.21.0