https://bugs.winehq.org/show_bug.cgi?id=31360
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.bobcad.com |http://bobcad.com/wp-conten | |t/media/updates/archive/v21 | |.5.3.exe CC| |focht@gmx.net Component|-unknown |ole32
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming, still present.
The app passes an outer IUnknown with *zero* ref count to 'OleCreateEmbeddingHelper' and expects it to stay alive.
Wine drops the ref count of outer unknown after creating the datacache object (refcount = 1 at this point), causing the destruction (memory freed). The app accesses the outer unknown vtable after 'OleCreateEmbeddingHelper' returns, causing the crash.
Source: http://source.winehq.org/git/wine.git/blob/c0a17a4f098ea148e24f4bc802a6739e6...
--- snip --- 1881 static DefaultHandler* DefaultHandler_Construct( 1882 REFCLSID clsid, 1883 LPUNKNOWN pUnkOuter, 1884 DWORD flags, 1885 IClassFactory *pCF) 1886 { 1887 DefaultHandler* This = NULL; 1888 HRESULT hr; ... 1919 This->outerUnknown = pUnkOuter; 1920 1921 /* 1922 * Create a datacache object. 1923 * We aggregate with the datacache. Make sure we pass our outer 1924 * unknown as the datacache's outer unknown. 1925 */ 1926 hr = CreateDataCache(This->outerUnknown, 1927 clsid, 1928 &IID_IUnknown, 1929 (void**)&This->dataCache); 1930 if(SUCCEEDED(hr)) 1931 { 1932 hr = IUnknown_QueryInterface(This->dataCache, &IID_IPersistStorage, (void**)&This->dataCache_PersistStg); 1933 /* keeping a reference to This->dataCache_PersistStg causes us to keep a 1934 * reference on the outer object */ 1935 if (SUCCEEDED(hr)) 1936 IUnknown_Release(This->outerUnknown); 1937 else 1938 IUnknown_Release(This->dataCache); 1939 } ... --- snip ---
Outer unknown is gone after line 1936 which should not happen.
$ sha1sum v21.5.3.exe 03958ea4ad4877bfdcdfd253845c677a94c53294 v21.5.3.exe
$ du -sh v21.5.3.exe 56M v21.5.3.exe
$ wine --version wine-1.7.25-21-gc87901d
Regards