Giovanni Mascellani (@giomasce) commented about libs/vkd3d-shader/dxil.c:
+ + count = record->operand_count - 2; + if (!(type->u.function = vkd3d_malloc(offsetof(struct sm6_function_info, param_types[count])))) + { + ERR("Failed to allocate function parameter types.\n"); + return VKD3D_ERROR_OUT_OF_MEMORY; + } + + type->u.function->ret_type = &sm6->types[type_id]; + type->u.function->param_count = count; + for (j = 0; j < count; ++j) + { + if ((type_id = record->operands[j + 2]) >= type_count) + { + WARN("Invalid parameter type id %"PRIu64" for type %u.\n", type_id, type_index); + vkd3d_free(type->u.function); If you free without zeroing the pointer you're prone to double freeing, aren't you? This also happens for structures.
-- https://gitlab.winehq.org/wine/vkd3d/-/merge_requests/259#note_37321