typelib has an array size of 2 (eg LibXml_Last), so a lookup of IID_NULL will result in a lookup of the third index.
-- v4: msxml3: Free IBindCtx on error paths (Coverity)
From: Alistair Leslie-Hughes leslie_alistair@hotmail.com
--- dlls/msxml3/dispex.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/msxml3/dispex.c b/dlls/msxml3/dispex.c index cd7c2820133..6212fc2976c 100644 --- a/dlls/msxml3/dispex.c +++ b/dlls/msxml3/dispex.c @@ -294,9 +294,9 @@ static dispex_data_t *preprocess_dispex_data(DispatchEx *This) data->funcs = heap_realloc(data->funcs, data->func_cnt * sizeof(func_info_t)); }
- qsort(data->funcs, data->func_cnt, sizeof(func_info_t), dispid_cmp); - if(data->funcs) { + qsort(data->funcs, data->func_cnt, sizeof(func_info_t), dispid_cmp); + data->name_table = heap_alloc(data->func_cnt * sizeof(func_info_t*)); for(i=0; i < data->func_cnt; i++) data->name_table[i] = data->funcs+i;
From: Alistair Leslie-Hughes leslie_alistair@hotmail.com
This was reported as a out of bounds access (Coverity), which is possible if the tid_NULL was every passed in. --- dlls/msxml3/dispex.c | 1 - dlls/msxml3/msxml_dispex.h | 3 ++- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/msxml3/dispex.c b/dlls/msxml3/dispex.c index 6212fc2976c..1289fb4ec91 100644 --- a/dlls/msxml3/dispex.c +++ b/dlls/msxml3/dispex.c @@ -82,7 +82,6 @@ static lib_id_t lib_ids[] = { };
static tid_id_t tid_ids[] = { - { &IID_NULL, LibXml_Last }, { &IID_IXMLDOMAttribute, LibXml2 }, { &IID_IXMLDOMCDATASection, LibXml2 }, { &IID_IXMLDOMComment, LibXml2 }, diff --git a/dlls/msxml3/msxml_dispex.h b/dlls/msxml3/msxml_dispex.h index 31d0cdfae7d..28d6486568d 100644 --- a/dlls/msxml3/msxml_dispex.h +++ b/dlls/msxml3/msxml_dispex.h @@ -34,9 +34,10 @@ typedef enum MSXML6 = 60 } MSXML_VERSION;
+#define NULL_tid -1 + typedef enum tid_t { - NULL_tid, IXMLDOMAttribute_tid, IXMLDOMCDATASection_tid, IXMLDOMComment_tid,
From: Alistair Leslie-Hughes leslie_alistair@hotmail.com
--- dlls/msxml3/httprequest.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/dlls/msxml3/httprequest.c b/dlls/msxml3/httprequest.c index 459466a1234..a0a08869ae4 100644 --- a/dlls/msxml3/httprequest.c +++ b/dlls/msxml3/httprequest.c @@ -684,15 +684,9 @@ static HRESULT BindStatusCallback_create(httprequest* This, BindStatusCallback * HRESULT hr; LONG size;
- hr = CreateBindCtx(0, &pbc); - if (hr != S_OK) return hr; - bsc = heap_alloc(sizeof(*bsc)); if (!bsc) - { - IBindCtx_Release(pbc); return E_OUTOFMEMORY; - }
bsc->IBindStatusCallback_iface.lpVtbl = &BindStatusCallbackVtbl; bsc->IHttpNegotiate_iface.lpVtbl = &BSCHttpNegotiateVtbl; @@ -795,6 +789,13 @@ static HRESULT BindStatusCallback_create(httprequest* This, BindStatusCallback * SafeArrayUnaccessData(sa); }
+ hr = CreateBindCtx(0, &pbc); + if (hr != S_OK) + { + IBindStatusCallback_Release(&bsc->IBindStatusCallback_iface); + return hr; + } + hr = RegisterBindStatusCallback(pbc, &bsc->IBindStatusCallback_iface, NULL, 0); if (hr == S_OK) {
-
Alistair Leslie-Hughes -
Alistair Leslie-Hughes (@alesliehughes)