My heap corruption problem turned out to be a bug in swprintf (well, really in NTDLL_vsnwprintf), I think. I tried formatting like this:

WCHAR keyname[21] = { 'C', 'o', 'm', 'p', 'o', 'n', 'e', 'n', 't', ' ', 'C', 'a', 't', 'e', 'g', 'o', 'r', 'i', 'e', 's', 0 }; WCHAR fmt[4] = { '%', 'l', 'X', 0 }; swprintf(This->xlcid, fmt, lcid);

My poor little WCHAR xlcid[9] member of This was seriously overflowed by the string L"409Component Categories". The following patch fixes what appears to be a format reading bug in NTDLL_vsnwprintf. I didn't just send it to wine-patches because it's not my area and it seems unlikely such a bad bug could hang around in such a function. Then again, I don't see many uses of swprintf in the source; should I be using something better for sprintf's of WCHAR's?

--- dlls/ntdll/wcstring.c.~1.15.~ Thu May 16 19:59:27 2002 +++ dlls/ntdll/wcstring.c Fri May 17 23:09:21 2002 @@ -451,10 +451,7 @@ } if (*iter == (WCHAR)L'h' || *iter == (WCHAR)L'l') - { *fmta++ = *iter++; - *fmta++ = *iter++; - }

switch (*iter) {