GHSA-9rg7-3j4f-cf4x: QueryInterface should call AddRef before returning pointer
Affected version of this crate, which is a required dependency in com-impl,
provides a faulty implementation of the IUnknown::QueryInterface
method.
QueryInterface
implementation must call IUnknown::AddRef
before returning the pointer,
as describe in this documentation:
https://docs.microsoft.com/en-us/windows/win32/api/unknwn/nf-unknwn-iunknown-queryinterface(refiid_void)
As it is not incrementing the refcount as expected, the following calls to IUnknown::Release
method
will cause WMI to drop reference to the interface, and can lead to invalid reference.
References
Detect and mitigate GHSA-9rg7-3j4f-cf4x with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →