Explorer crashing when canceling renaming via unhandled exception via comctl32 LISTVIEW_DeselectAllSkipItems

I do report that against a GCC8.4.0 RosBE2.2.2 build of master head 0.4.15-dev-5918-gf8f9c17
The crash is reproducible and a GCC4.7.2 RosBE2.1.6 build of 0.4.14-release-66-gc819d4a is affected the very same way

Reproduction steps

• make sure you have a gflags.exe at hand because we need to enable DPH to see it
• run cmd.exe
• break into the debugger and enable breakOnFirstChance, e.g. with putty type

  set condition * first always

  cont

• kill explorer.exe via taskmgr
• in the cmd prompt type

  gflags /p /enable explorer.exe /full

  explorer.exe

• open a shellbrowser and enable the treeview
• click once on "drive C" in the treeview to enter the renaming mode
• now cancel the current renaming operation (not via ESC) but by clicking with the mouse somewhere else outside the editing field
  explorer will crash after breaking into debugger then with the following callstack

  travellog.cpp:129: Unexpected failure (hResult)=80004005.

  (ntoskrnl/mm/mmfault.c:137) Address: d0d00000

  

  Entered debugger on first-chance exception (Exception Code: 0xc0000005) (Page Fault)

  Memory at 0xD0D00000 could not be accessed

  kdb:> bt

  Eip:

  <comctl32.dll:4f602 (dll/win32/comctl32/listview.c:3252 (LISTVIEW_DeselectAllSkipItems))>

  Frames:

  <comctl32.dll:56a23 (dll/win32/comctl32/listview.c:3530 (LISTVIEW_WindowProc))>

  <user32.dll:6aec5 (win32ss/user/user32/windows/wndproc_fixup.S:44 (CALL_EXTERN_WNDPROC))>

  <user32.dll:5f1b3 (win32ss/user/user32/windows/message.c:1547 (IntCallWindowProcW))>

  <user32.dll:5f5cd (win32ss/user/user32/windows/message.c:1798 (IntCallMessageProc))>

  <user32.dll:5fd3e (win32ss/user/user32/windows/message.c:2046 (DispatchMessageW))>

  <browseui.dll:2c491 (dll/win32/browseui/desktopipc.cpp:409 (BrowserThreadProc))>

  <kernel32.dll:1c973 (dll/win32/kernel32/client/thread.c:71 (BaseThreadStartup))>

  kdb:> cont

  Unhandled exception

  ExceptionCode: c0000005

  Faulting Address: D0D00000

  CS:EIP 1b:7bccf602

  DS 23 ES 23 FS 38 GS 0

  EAX: d0d00000 EBX: 03079ff8 ECX: 00000001

  EDX: 03079ff8 EBP: 02c6fc24 ESI: 000000ed ESP: 02c6fb9c

  EDI: 01b10ff8 EFLAGS: 00010246

  Address:

  <comctl32.dll:4f602 (dll/win32/comctl32/listview.c:3252 (LISTVIEW_DeselectAllSkipItems))> (C:\ReactOS\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef\comctl32.dll@7bc80000)

  Frames:

  <comctl32.dll:56a28 (dll/win32/comctl32/listview.c:3531 (LISTVIEW_WindowProc))> (C:\ReactOS\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef\comctl32.dll@7bc80000)

  <user32.dll:6aeca (win32ss/user/user32/windows/wndproc_fixup.S:48 (CALL_EXTERN_WNDPROC))> (C:\ReactOS\system32\user32.dll@77a20000)

  <user32.dll:5f1b8 (win32ss/user/user32/windows/message.c:1547 (IntCallWindowProcW))> (C:\ReactOS\system32\user32.dll@77a20000)

  <user32.dll:5f5d2 (win32ss/user/user32/windows/message.c:1798 (IntCallMessageProc))> (C:\ReactOS\system32\user32.dll@77a20000)

  <user32.dll:5fd43 (win32ss/user/user32/windows/message.c:2046 (DispatchMessageW))> (C:\ReactOS\system32\user32.dll@77a20000)

  <browseui.dll:2c496 (dll/win32/browseui/desktopipc.cpp:409 (BrowserThreadProc))> (C:\ReactOS\System32\browseui.dll@78970000)

  <kernel32.dll:1c978 (dll/win32/kernel32/client/thread.c:71 (BaseThreadStartup))> (C:\ReactOS\system32\kernel32.dll@7c620000)

  err:(win32ss/user/user32/windows/messagebox.c:1048) MessageBox: L"The instruction at \"0x7bccf602\" referenced memory at \"0xd0d00000\". The memory could not be \"read\".\r\n\nClick on OK to terminate the program.\nClick on CANCEL to debug the program."

0.4.15-dev-5918-gf8f9c17_DPH_explorerCrash_LISTVIEW_DeselectAllSkipItems.webm
0.4.15-dev-5918-gf8f9c17_DPH_explorerCrash_LISTVIEW_DeselectAllSkipItems.log