Advisories for Cargo/Derive-Com-Impl package

2022

QueryInterface should call AddRef before returning pointer

Affected version of this crate, which is a required dependency in com-impl, provides a faulty implementation of the IUnknown::QueryInterface method. QueryInterface implementation must call IUnknown::AddRef before returning the pointer, as describe in this documentation: https://docs.microsoft.com/en-us/windows/win32/api/unknwn/nf-unknwn-iunknown-queryinterface(refiid_void) As it is not incrementing the refcount as expected, the following calls to IUnknown::Release method will cause WMI to drop reference to the interface, and can lead to invalid reference.