typelib has an array size of 2 (eg LibXml_Last), so a lookup of IID_NULL will result in a lookup of the third index.
-- v6: msxml3: Do not leak bind context on error paths (Coverity)
From: Alistair Leslie-Hughes leslie_alistair@hotmail.com
--- dlls/msxml3/dispex.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/msxml3/dispex.c b/dlls/msxml3/dispex.c index cd7c2820133..6212fc2976c 100644 --- a/dlls/msxml3/dispex.c +++ b/dlls/msxml3/dispex.c @@ -294,9 +294,9 @@ static dispex_data_t *preprocess_dispex_data(DispatchEx *This) data->funcs = heap_realloc(data->funcs, data->func_cnt * sizeof(func_info_t)); }
- qsort(data->funcs, data->func_cnt, sizeof(func_info_t), dispid_cmp); - if(data->funcs) { + qsort(data->funcs, data->func_cnt, sizeof(func_info_t), dispid_cmp); + data->name_table = heap_alloc(data->func_cnt * sizeof(func_info_t*)); for(i=0; i < data->func_cnt; i++) data->name_table[i] = data->funcs+i;
From: Alistair Leslie-Hughes leslie_alistair@hotmail.com
This was reported as a out of bounds access (Coverity), which is possible if the tid_NULL was every passed in. --- dlls/msxml3/dispex.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/msxml3/dispex.c b/dlls/msxml3/dispex.c index 6212fc2976c..ef68cb74745 100644 --- a/dlls/msxml3/dispex.c +++ b/dlls/msxml3/dispex.c @@ -82,7 +82,7 @@ static lib_id_t lib_ids[] = { };
static tid_id_t tid_ids[] = { - { &IID_NULL, LibXml_Last }, + { &IID_NULL, LibXml2 }, { &IID_IXMLDOMAttribute, LibXml2 }, { &IID_IXMLDOMCDATASection, LibXml2 }, { &IID_IXMLDOMComment, LibXml2 },
From: Alistair Leslie-Hughes leslie_alistair@hotmail.com
--- dlls/msxml3/httprequest.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/dlls/msxml3/httprequest.c b/dlls/msxml3/httprequest.c index 459466a1234..e21ece7d9c4 100644 --- a/dlls/msxml3/httprequest.c +++ b/dlls/msxml3/httprequest.c @@ -680,19 +680,12 @@ static const IAuthenticateVtbl AuthenticateVtbl = { static HRESULT BindStatusCallback_create(httprequest* This, BindStatusCallback **obj, const VARIANT *body) { BindStatusCallback *bsc; - IBindCtx *pbc; + IBindCtx *pbc = NULL; HRESULT hr; LONG size;
- hr = CreateBindCtx(0, &pbc); - if (hr != S_OK) return hr; - - bsc = heap_alloc(sizeof(*bsc)); - if (!bsc) - { - IBindCtx_Release(pbc); + if (!(bsc = heap_alloc(sizeof(*bsc)))) return E_OUTOFMEMORY; - }
bsc->IBindStatusCallback_iface.lpVtbl = &BindStatusCallbackVtbl; bsc->IHttpNegotiate_iface.lpVtbl = &BSCHttpNegotiateVtbl; @@ -795,7 +788,9 @@ static HRESULT BindStatusCallback_create(httprequest* This, BindStatusCallback * SafeArrayUnaccessData(sa); }
- hr = RegisterBindStatusCallback(pbc, &bsc->IBindStatusCallback_iface, NULL, 0); + hr = CreateBindCtx(0, &pbc); + if (hr == S_OK) + hr = RegisterBindStatusCallback(pbc, &bsc->IBindStatusCallback_iface, NULL, 0); if (hr == S_OK) { IMoniker *moniker; @@ -809,9 +804,11 @@ static HRESULT BindStatusCallback_create(httprequest* This, BindStatusCallback * IMoniker_Release(moniker); if (stream) IStream_Release(stream); } - IBindCtx_Release(pbc); }
+ if (pbc) + IBindCtx_Release(pbc); + if (FAILED(hr)) { IBindStatusCallback_Release(&bsc->IBindStatusCallback_iface);
This merge request was approved by Nikolay Sivov.
-
Alistair Leslie-Hughes -
Alistair Leslie-Hughes (@alesliehughes)
-
Nikolay Sivov (@nsivov)