From 616f5a5d4b05ab7278658549d15f5ff50b2c824f Mon Sep 17 00:00:00 2001
From: Puetz Kevin A <PuetzKevinA@JohnDeere.com>
Date: Thu, 23 Jul 2020 04:58:37 +0000
Subject: [PATCH] jscript: Fix some memory problems in disp_call_value.

Signed-off-by: Kevin Puetz <PuetzKevinA@JohnDeere.com>
Signed-off-by: Jacek Caban <jacek@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/jscript/dispex.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/dlls/jscript/dispex.c b/dlls/jscript/dispex.c
index d9097c47dd5..2ba706252bc 100644
--- a/dlls/jscript/dispex.c
+++ b/dlls/jscript/dispex.c
@@ -2095,12 +2095,14 @@ HRESULT disp_call_value(script_ctx_t *ctx, IDispatch *disp, IDispatch *jsthis, W
         dp.rgdispidNamedArgs = NULL;
     }
 
-    if(argc > ARRAY_SIZE(buf) && !(args = heap_alloc(argc * sizeof(VARIANT))))
+    if(dp.cArgs > ARRAY_SIZE(buf) && !(args = heap_alloc(dp.cArgs * sizeof(VARIANT))))
         return E_OUTOFMEMORY;
     dp.rgvarg = args;
 
-    V_VT(dp.rgvarg) = VT_DISPATCH;
-    V_DISPATCH(dp.rgvarg) = jsthis;
+    if(jsthis) {
+        V_VT(dp.rgvarg) = VT_DISPATCH;
+        V_DISPATCH(dp.rgvarg) = jsthis;
+    }
 
     for(i=0; SUCCEEDED(hres) && i < argc; i++)
         hres = jsval_to_variant(argv[i], dp.rgvarg+dp.cArgs-i-1);
@@ -2110,7 +2112,7 @@ HRESULT disp_call_value(script_ctx_t *ctx, IDispatch *disp, IDispatch *jsthis, W
         hres = disp_invoke(ctx, disp, DISPID_VALUE, flags, &dp, r ? &retv : NULL);
     }
 
-    for(i = 0; i < argc&&0; i++)
+    for(i = 0; i < argc; i++)
         VariantClear(dp.rgvarg + dp.cArgs - i - 1);
     if(args != buf)
         heap_free(args);