GHSA-9rg7-3j4f-cf4x

Suggest an improvement
Source
https://github.com/advisories/GHSA-9rg7-3j4f-cf4x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-9rg7-3j4f-cf4x/GHSA-9rg7-3j4f-cf4x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9rg7-3j4f-cf4x
Aliases
Published
2022-06-16T23:52:51Z
Modified
2023-11-08T04:07:21.492435Z
Summary
QueryInterface should call AddRef before returning pointer
Details

Affected version of this crate, which is a required dependency in com-impl, provides a faulty implementation of the IUnknown::QueryInterface method.

QueryInterface implementation must call IUnknown::AddRef before returning the pointer, as describe in this documentation: https://docs.microsoft.com/en-us/windows/win32/api/unknwn/nf-unknwn-iunknown-queryinterface(refiid_void)

As it is not incrementing the refcount as expected, the following calls to IUnknown::Release method will cause WMI to drop reference to the interface, and can lead to invalid reference.

This is documented in https://docs.microsoft.com/en-us/windows/win32/learnwin32/managing-the-lifetime-of-an-object#reference-counting

There is no simple workaround, as you can't know how many time QueryInterface will be called. The only way to quick fix this is to use the macro expanded version of the code and modify the QueryInterface method to add the AddRef call yourself.

The issue was corrected in commit 9803f31fbd1717d482d848f041044d061fca6da7.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-16T23:52:51Z"
}
References

Affected packages

crates.io / derive-com-impl

Package

Name
derive-com-impl
View open source insights on deps.dev
Purl
pkg:cargo/derive-com-impl

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.2

Ecosystem specific

{
    "affected_functions": [
        "derive_com_impl::derive_com_impl"
    ]
}