On Dec 22, 2007 4:28 AM, Lionel_Debroux lionel_debroux@yahoo.fr wrote:

Several functions in dlls/msi/action.c and dlls/msi/database.c use constructs of the form ptr = msi_realloc (ptr, newsize);

In the (admittedly very unlikely) situation where msi_realloc fails, this leaks, or even faults: filename = msi_realloc(filename, len * sizeof(WCHAR) + sizeof(szlnk)); memcpy(filename + len, szlnk, sizeof(szlnk));

2007-12-14 Lionel Debroux lionel_debroux@yahoo.fr * dlls/msi/action.c, dlls/msi/database.c: msi: correctly handle return value of msi_realloc.

- filename = msi_realloc(filename, len * sizeof(WCHAR) + sizeof(szlnk)); + p = msi_realloc(filename, len * sizeof(WCHAR) + sizeof(szlnk)); + if (!p) + { + msi_free(target_folder); + msi_free(filename); + ERR("Not enough memory to grow filename\n"); + goto err; + } + filename = p;

Don't add ERRs for out of memory...and you need to return ERROR_OUTOFMEMORY in these cases.