Gerald Pfeifer <gerald(a)pfeifer.com> wrote:

--- a/dlls/oleaut32/tmarshal.c +++ b/dlls/oleaut32/tmarshal.c @@ -1078,7 +1078,10 @@ deserialize_param( if (readit) { DWORD x; hres = xbuf_get(buf,(LPBYTE)&x,sizeof(DWORD)); - if (hres) ERR("Failed to read integer 4 byte\n"); + if (hres) { + ERR("Failed to read integer 4 byte\n"); + x = 0; + } memcpy(arg,&x,2); } if (debugout) TRACE_(olerelay)("%04x",*arg & 0xffff); @@ -1088,7 +1091,10 @@ deserialize_param( if (readit) { DWORD x; hres = xbuf_get(buf,(LPBYTE)&x,sizeof(DWORD)); - if (hres) ERR("Failed to read integer 4 byte\n"); + if (hres) { + ERR("Failed to read integer 4 byte\n"); + x = 0; + } memcpy(arg,&x,1);

A proper fix would be to avoid a memcpy() if xbuf_get() fails instead of creating bogus input data. -- Dmitry.