From ce1517a3a1e1b731d9adffbebd85aa815b718162 Mon Sep 17 00:00:00 2001 From: Xiaobo Liu Date: Sun, 1 Mar 2026 11:42:19 +0800 Subject: [PATCH] explorer_command_injector: Avoid COM out-pointer overwrite in class factory exports (#49210) Release Notes: - N/A Signed-off-by: Xiaobo Liu --- .../src/explorer_command_injector.rs | 25 ++++++++----------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/crates/explorer_command_injector/src/explorer_command_injector.rs b/crates/explorer_command_injector/src/explorer_command_injector.rs index bfa2a0326c9975037ed860acfdee7cd32e3075d8..1bd85339a9fd8958c496eccf2bedcb1610c56557 100644 --- a/crates/explorer_command_injector/src/explorer_command_injector.rs +++ b/crates/explorer_command_injector/src/explorer_command_injector.rs @@ -106,18 +106,17 @@ impl IClassFactory_Impl for ExplorerCommandInjectorFactory_Impl { riid: *const windows_core::GUID, ppvobject: *mut *mut core::ffi::c_void, ) -> Result<()> { + if ppvobject.is_null() || riid.is_null() { + return Err(windows::Win32::Foundation::E_POINTER.into()); + } + unsafe { *ppvobject = std::ptr::null_mut(); } + if punkouter.is_none() { let factory: IExplorerCommand = ExplorerCommandInjector {}.into(); - let ret = unsafe { factory.query(riid, ppvobject).ok() }; - if ret.is_ok() { - unsafe { - *ppvobject = factory.into_raw(); - } - } - ret + unsafe { factory.query(riid, ppvobject).ok() } } else { Err(E_INVALIDARG.into()) } @@ -145,19 +144,17 @@ extern "system" fn DllGetClassObject( iid: *const GUID, out: *mut *mut std::ffi::c_void, ) -> HRESULT { + if out.is_null() || class_id.is_null() || iid.is_null() { + return E_INVALIDARG; + } + unsafe { *out = std::ptr::null_mut(); } let class_id = unsafe { *class_id }; if class_id == MODULE_ID { let instance: IClassFactory = ExplorerCommandInjectorFactory {}.into(); - let ret = unsafe { instance.query(iid, out) }; - if ret.is_ok() { - unsafe { - *out = instance.into_raw(); - } - } - ret + unsafe { instance.query(iid, out) } } else { CLASS_E_CLASSNOTAVAILABLE }