rpcrt4: Don't free the argument if the freer was called, unless it's a simple ref.

In the simple reference case the freer will not see the top-level
pointer, so we need to free that here.

This fixes a double-free caused by commit 614afcefa3.

Signed-off-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>

dlls/rpcrt4/ndr_stubless.c

@@ -1137,6 +1137,11 @@ LONG_PTR __cdecl call_server_func(SERVER_ROUTINE func, unsigned char * args, uns
 }
 #endif
 
+static inline BOOL param_needs_alloc( PARAM_ATTRIBUTES attr )
+{
+    return attr.IsOut && !attr.IsIn && !attr.IsBasetype && !attr.IsByValue;
+}
+
 static LONG_PTR *stub_do_args(MIDL_STUB_MESSAGE *pStubMsg,
                               PFORMAT_STRING pFormat, enum stubless_phase phase,
                               unsigned short number_of_params)
@@ -1172,20 +1177,14 @@ static LONG_PTR *stub_do_args(MIDL_STUB_MESSAGE *pStubMsg,
             {
                 HeapFree(GetProcessHeap(), 0, *(void **)pArg);
             }
-            else if (params[i].attr.IsOut &&
+            else if (param_needs_alloc(params[i].attr) &&
-                     !params[i].attr.IsIn &&
+                     (!params[i].attr.MustFree || params[i].attr.IsSimpleRef))
-                     !params[i].attr.IsBasetype &&
-                     !params[i].attr.IsByValue)
             {
                 if (*pTypeFormat != RPC_FC_BIND_CONTEXT) pStubMsg->pfnFree(*(void **)pArg);
             }
             break;
         case STUBLESS_INITOUT:
-            if (!params[i].attr.IsIn &&
+            if (param_needs_alloc(params[i].attr) && !params[i].attr.ServerAllocSize)
-                params[i].attr.IsOut &&
-                !params[i].attr.IsBasetype &&
-                !params[i].attr.ServerAllocSize &&
-                !params[i].attr.IsByValue)
             {
                 if (*pTypeFormat == RPC_FC_BIND_CONTEXT)
                 {