Thanks for commenting.

2015-03-04 15:48 GMT+08:00 Nikolay Sivov <bunglehead@gmail.com>:
On 04.03.2015 9:19, Shuai Meng wrote:
+    switch(V_VT(arg)) {
+    case VT_NULL:
+        return MAKE_VBSERROR(VBSE_ILLEGAL_NULL_USE);
+    case VT_BSTR:
+        bstr = V_BSTR(arg);
+        break;
+    default:
+        hres = to_string(arg, &bstr);
+        if(FAILED(hres))
+            return hres;
+    }
+
+    ret = bstr[0];
+    SysFreeString(bstr);
+
+    if(ret == 0)
+        return MAKE_VBSERROR(VBSE_ILLEGAL_FUNC_CALL);
+    return return_short(res, ret);

This is wrong too. You can't always free it like that, please look carefully at where 'bstr' comes from.

Yeah, you are right, I am so anxious that  I didn't check it carefully. 'bstr' has two source, only when it comes from to_string(), it can be freed with this way.