explorer_command_injector: Avoid COM out-pointer overwrite in class factory exports (#49210)

Xiaobo Liu created 

Release Notes:

- N/A

Signed-off-by: Xiaobo Liu <cppcoffee@gmail.com>

Change summary

crates/explorer_command_injector/src/explorer_command_injector.rs | 25 
1 file changed, 11 insertions(+), 14 deletions(-)

Detailed changes

crates/explorer_command_injector/src/explorer_command_injector.rs 🔗 

@@ -106,18 +106,17 @@ impl IClassFactory_Impl for ExplorerCommandInjectorFactory_Impl {
         riid: *const windows_core::GUID,
         ppvobject: *mut *mut core::ffi::c_void,
     ) -> Result<()> {
+        if ppvobject.is_null() || riid.is_null() {
+            return Err(windows::Win32::Foundation::E_POINTER.into());
+        }
+
         unsafe {
             *ppvobject = std::ptr::null_mut();
         }
+
         if punkouter.is_none() {
             let factory: IExplorerCommand = ExplorerCommandInjector {}.into();
-            let ret = unsafe { factory.query(riid, ppvobject).ok() };
-            if ret.is_ok() {
-                unsafe {
-                    *ppvobject = factory.into_raw();
-                }
-            }
-            ret
+            unsafe { factory.query(riid, ppvobject).ok() }
         } else {
             Err(E_INVALIDARG.into())
         }
@@ -145,19 +144,17 @@ extern "system" fn DllGetClassObject(
     iid: *const GUID,
     out: *mut *mut std::ffi::c_void,
 ) -> HRESULT {
+    if out.is_null() || class_id.is_null() || iid.is_null() {
+        return E_INVALIDARG;
+    }
+
     unsafe {
         *out = std::ptr::null_mut();
     }
     let class_id = unsafe { *class_id };
     if class_id == MODULE_ID {
         let instance: IClassFactory = ExplorerCommandInjectorFactory {}.into();
-        let ret = unsafe { instance.query(iid, out) };
-        if ret.is_ok() {
-            unsafe {
-                *out = instance.into_raw();
-            }
-        }
-        ret
+        unsafe { instance.query(iid, out) }
     } else {
         CLASS_E_CLASSNOTAVAILABLE
     }