From d9211c9e5f92a9127308a6c306d4a9af38ae89d7 Mon Sep 17 00:00:00 2001
From: Vincent Povirk <vincent@codeweavers.com>
Date: Thu, 25 Jul 2013 15:13:24 -0500
Subject: [PATCH] atl: Do not access m_pTermFuncs if the structure is too
 small.

---
 dlls/atl/atl_main.c     | 30 +++++++++++++++++++-----------
 dlls/atl/tests/module.c | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/dlls/atl/atl_main.c b/dlls/atl/atl_main.c
index cc3cce1a3cf..985d7066feb 100644
--- a/dlls/atl/atl_main.c
+++ b/dlls/atl/atl_main.c
@@ -123,15 +123,20 @@ HRESULT WINAPI AtlModuleLoadTypeLib(_ATL_MODULEW *pM, LPCOLESTR lpszIndex,
 
 HRESULT WINAPI AtlModuleTerm(_ATL_MODULE *pM)
 {
-    _ATL_TERMFUNC_ELEM *iter = pM->m_pTermFuncs, *tmp;
+    _ATL_TERMFUNC_ELEM *iter, *tmp;
 
     TRACE("(%p)\n", pM);
 
-    while(iter) {
-        iter->pFunc(iter->dw);
-        tmp = iter;
-        iter = iter->pNext;
-        HeapFree(GetProcessHeap(), 0, tmp);
+    if (pM->cbSize > ATLVer1Size)
+    {
+        iter = pM->m_pTermFuncs;
+
+        while(iter) {
+            iter->pFunc(iter->dw);
+            tmp = iter;
+            iter = iter->pNext;
+            HeapFree(GetProcessHeap(), 0, tmp);
+        }
     }
 
     return S_OK;
@@ -143,12 +148,15 @@ HRESULT WINAPI AtlModuleAddTermFunc(_ATL_MODULEW *pM, _ATL_TERMFUNC *pFunc, DWOR
 
     TRACE("(%p %p %ld)\n", pM, pFunc, dw);
 
-    termfunc_elem = HeapAlloc(GetProcessHeap(), 0, sizeof(_ATL_TERMFUNC_ELEM));
-    termfunc_elem->pFunc = pFunc;
-    termfunc_elem->dw = dw;
-    termfunc_elem->pNext = pM->m_pTermFuncs;
+    if (pM->cbSize > ATLVer1Size)
+    {
+        termfunc_elem = HeapAlloc(GetProcessHeap(), 0, sizeof(_ATL_TERMFUNC_ELEM));
+        termfunc_elem->pFunc = pFunc;
+        termfunc_elem->dw = dw;
+        termfunc_elem->pNext = pM->m_pTermFuncs;
 
-    pM->m_pTermFuncs = termfunc_elem;
+        pM->m_pTermFuncs = termfunc_elem;
+    }
 
     return S_OK;
 }
diff --git a/dlls/atl/tests/module.c b/dlls/atl/tests/module.c
index 45cff060062..192b23ef1e7 100644
--- a/dlls/atl/tests/module.c
+++ b/dlls/atl/tests/module.c
@@ -113,8 +113,48 @@ static void test_winmodule(void)
     ok(winmod.m_pCreateWndList == create_data+1, "winmod.m_pCreateWndList != create_data\n");
 }
 
+static DWORD cb_val;
+
+static void WINAPI term_callback(DWORD dw)
+{
+    cb_val = dw;
+}
+
+static void test_term(void)
+{
+    _ATL_MODULEW test;
+    HRESULT hres;
+
+    test.cbSize = sizeof(_ATL_MODULEW);
+
+    hres = AtlModuleInit(&test, NULL, NULL);
+    ok (hres == S_OK, "AtlModuleInit failed (0x%x).\n", (int)hres);
+
+    hres = AtlModuleAddTermFunc(&test, term_callback, 0x22);
+    ok (hres == S_OK, "AtlModuleAddTermFunc failed (0x%x).\n", (int)hres);
+
+    cb_val = 0xdeadbeef;
+    hres = AtlModuleTerm(&test);
+    ok (hres == S_OK, "AtlModuleTerm failed (0x%x).\n", (int)hres);
+    ok (cb_val == 0x22, "wrong callback value (0x%x).\n", (int)cb_val);
+
+    test.cbSize = FIELD_OFFSET(_ATL_MODULEW, dwAtlBuildVer);
+
+    hres = AtlModuleInit(&test, NULL, NULL);
+    ok (hres == S_OK, "AtlModuleInit failed (0x%x).\n", (int)hres);
+
+    hres = AtlModuleAddTermFunc(&test, term_callback, 0x23);
+    ok (hres == S_OK, "AtlModuleAddTermFunc failed (0x%x).\n", (int)hres);
+
+    cb_val = 0xdeadbeef;
+    hres = AtlModuleTerm(&test);
+    ok (hres == S_OK, "AtlModuleTerm failed (0x%x).\n", (int)hres);
+    ok (cb_val == 0xdeadbeef, "wrong callback value (0x%x).\n", (int)cb_val);
+}
+
 START_TEST(module)
 {
     test_StructSize();
     test_winmodule();
+    test_term();
 }