From 26164e7b2e90e53e8ed7c03f4579a58907ca306e Mon Sep 17 00:00:00 2001
From: Aleksey Bragin <aleksey@reactos.org>
Date: Fri, 22 Oct 2010 16:22:21 +0000
Subject: [PATCH] [MSI] - Fix freed memory access and fix freeing of invalid
 pointer. (from
 http://www.winehq.org/pipermail/wine-patches/2010-October/094849.html ) See
 issue #3755 for more details.

svn path=/trunk/; revision=49229
---
 reactos/dll/win32/msi/action.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/reactos/dll/win32/msi/action.c b/reactos/dll/win32/msi/action.c
index 34c0ce419d5..808386f96e9 100644
--- a/reactos/dll/win32/msi/action.c
+++ b/reactos/dll/win32/msi/action.c
@@ -1985,7 +1985,7 @@ static UINT ITERATE_CostFinalizeConditions(MSIRECORD *row, LPVOID param)
 VS_FIXEDFILEINFO *msi_get_disk_file_version( LPCWSTR filename )
 {
     static const WCHAR name[] = {'\\',0};
-    VS_FIXEDFILEINFO *ret;
+    VS_FIXEDFILEINFO *ptr, *ret;
     LPVOID version;
     DWORD versize, handle;
     UINT sz;
@@ -2002,12 +2002,15 @@ VS_FIXEDFILEINFO *msi_get_disk_file_version( LPCWSTR filename )
 
     GetFileVersionInfoW( filename, 0, versize, version );
 
-    if (!VerQueryValueW( version, name, (LPVOID *)&ret, &sz ))
+    if (!VerQueryValueW( version, name, (LPVOID *)&ptr, &sz ))
     {
         msi_free( version );
         return NULL;
     }
 
+    ret = msi_alloc( sz );
+    memcpy( ret, ptr, sz );
+
     msi_free( version );
     return ret;
 }