The code doesn't multiply the strlenW() by sizeof(WCHAR), allocating a buffer that is half the needed size, and resulting in a guaranteed buffer overflow and heap corruption when lstrcpyW() later copies the string.

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=25264

Signed-off-by: Damjan Jovanovic damjan.jov@gmail.com --- dlls/comctl32/treeview.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)