+ str = SysAllocStringLen(NULL, 1023); + newstr = SysAllocStringLen(NULL, 1023); Where this length comes from?
+ switch(V_VT(arg + 1)) { + case VT_NULL: + return MAKE_VBSERROR(VBSE_ILLEGAL_NULL_USE); + case VT_BSTR: + str = V_BSTR(arg + 1); + break; + case VT_ARRAY|VT_BYREF|VT_VARIANT: + return DISP_E_TYPEMISMATCH; + default: + hres = to_short(arg + 1, &tmp); + if(FAILED(hres)) + return hres; + str[0] = (char)tmp; + break; + } You only need first character, right? Then why do you need a full BSTR pointer in VT_BSTR case? And assigning it to 'str' you leak a previously allocated buffer. Why cast to (char)tmp?
+ else if(len == 0) + newstr = '\0'; Same way you're losing pointer to allocated buffer.