Nikolay Sivov (@nsivov) commented about dlls/combase/combase.c:

 if (open_classes_key(HKEY_CLASSES_ROOT, buf, MAXIMUM_ALLOWED, &xhkey))
 {

•    free(buf);
  

•    WARN("couldn't open key for ProgID %s\n", debugstr_w(progid));
  

•    return CO_E_CLASSSTRING;
  

•    lstrcpyW(buf, progid);
  

•    lstrcatW(buf, L"\\CurVer");
  

•    if (RegQueryValueW(HKEY_CLASSES_ROOT, buf, buf3, &buf3len))
  

•    {
  

•        free(buf);
  

•        WARN("couldn't query CurVer value for ProgID %s\n", debugstr_w(progid));
  

•        return CO_E_CLASSSTRING;
  

•    }
  

•    lstrcpyW(buf, buf3);  
  

•    lstrcatW(buf, L"\\CLSID");      
  

Size of 'buf' has no relation to size of 'buf3', so you can't assume you can copy things and not overrun it.