This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate dcommon


(9 total, 2 outdated, 1 possibly insecure)

 auto-enum^0.2.0-alpha10.1.2up to date
 checked-enum^0.1.1-alpha10.1.0up to date
 com-impl^0.1.0-alpha20.2.0out of date
 com-wrapper^0.1.0-alpha20.1.0up to date
 derive-com-impl ⚠️^0.1.0-alpha30.2.0out of date
 derive-com-wrapper^0.1.0-alpha40.1.0up to date
 math2d^0.2.0-alpha10.1.3up to date
 winapi^ to date
 wio^ to date

Security Vulnerabilities

derive-com-impl: QueryInterface should call AddRef before returning pointer


Affected version of this crate, which is a required dependency in com-impl, provides a faulty implementation of the IUnknown::QueryInterface method.

QueryInterface implementation must call IUnknown::AddRef before returning the pointer, as describe in this documentation:

As it is not incrementing the refcount as expected, the following calls to IUnknown::Release method will cause WMI to drop reference to the interface, and can lead to invalid reference.

This is documented in

There is no simple workaround, as you can't know how many time QueryInterface will be called. The only way to quick fix this is to use the macro expanded version of the code and modify the QueryInterface method to add the AddRef call yourself.

The issue was corrected in commit 9803f31fbd1717d482d848f041044d061fca6da7.