ThemeCalculateCaptionButtonsPos uses uninitialized data

    if (!htheme)

        htheme = pwndData->hthemeWindow;

    if (!htheme)

    {

        htheme = GetNCCaptionTheme(hWnd, style);

        if (!htheme)

        {

            __debugbreak();

            htheme = GetNCCaptionTheme(hWnd, style);

        }

    }

/kd> kp

ChildEBP RetAddr  

0125f6cc 7c664528 kernel32!MulDiv(int nNumber = 0n-858993460, int nNumerator = 0n18, int nDenominator = 0n-858993460)+0x29 [r:\src\apphelp\dll\win32\kernel32\wine\muldiv.c @ 33]

0125f6e4 7a92ceb9 kernel32!$relaytrace$MulDiv(long a0 = 0n-858993460, long a1 = 0n18, long a2 = 0n-858993460)+0x58 [r:\build\apphelp\msvc\dll\win32\kernel32\kernel32_stubs.c @ 7789]

0125f788 7a934c3d uxtheme!ThemeCalculateCaptionButtonsPos(struct HWND__ * hWnd = 0x0006018c, void * htheme = 0x00000000)+0x179 [r:\src\apphelp\dll\win32\uxtheme\nonclient.c @ 259]

0125f7a8 77a8415e uxtheme!ThemePreWindowProc(struct HWND__ * hWnd = 0x0006018c, unsigned int Msg = 1, unsigned long wParam = 0, long lParam = 0n19265856, unsigned long ret = 0x125f7fc, unsigned int * unknown = 0x0125f7e4)+0x6d [r:\src\apphelp\dll\win32\uxtheme\themehooks.c @ 326]

0125f87c 77a89b3b user32!IntCallWindowProcW(int IsAnsiProc = 0n0, <function> * WndProc = 0x77a6a8c0, struct _WND * pWnd = 0x00358e50, struct HWND__ * hWnd = 0x0006018c, unsigned int Msg = 1, unsigned int wParam = 0, long lParam = 0n19265856)+0x49e [r:\src\apphelp\win32ss\user\user32\windows\message.c @ 1503]

0125f908 7c932c5c user32!User32CallWindowProcFromKernel(void * Arguments = 0x0125f920, unsigned long ArgumentLength = 0x5c)+0x26b [r:\src\apphelp\win32ss\user\user32\windows\message.c @ 2955]

0125faec 77a90288 ntdll!KiUserCallbackDispatcher+0x2e

0125fb88 77a6c2e1 user32!CreateWindowExW(unsigned long dwExStyle = 0x10001, wchar_t * lpClassName = 0x00008002 "--- memory read error at address 0x00008002 ---", wchar_t * lpWindowName = 0x7bc4a11e "Run", unsigned long dwStyle = 0x80c800cc, int x = 0n2, int y = 0n690, int nWidth = 0n347, int nHeight = 0n179, struct HWND__ * hWndParent = 0x00220186, struct HMENU__ * hMenu = 0x00000000, struct HINSTANCE__ * hInstance = 0x7b5b0000, void * lpParam = 0x00000000)+0x368 [r:\src\apphelp\win32ss\user\user32\windows\window.c @ 575]

0125fee0 77a6e9ea user32!DIALOG_CreateIndirect(struct HINSTANCE__ * hInst = 0x7b5b0000, void * dlgTemplate = 0x7bc4a148, struct HWND__ * owner = 0x00220186, <function> * dlgProc = 0x7b5b90c0, long param = 0n19267376, int unicode = 0n1, struct HWND__ ** modal_owner = 0x0125ff20)+0x6a1 [r:\src\apphelp\win32ss\user\user32\windows\dialog.c @ 947]

0125ff10 7b5ba5a1 user32!DialogBoxParamW(struct HINSTANCE__ * hInstance = 0x7b5b0000, wchar_t * lpTemplateName = 0x00000001 "--- memory read error at address 0x00000001 ---", struct HWND__ * hWndParent = 0x00220186, <function> * lpDialogFunc = 0x7b5b90c0, long dwInitParam = 0n19267376)+0x9a [r:\src\apphelp\win32ss\user\user32\windows\dialog.c @ 1880]

0125ff4c 00425547 shell32!RunFileDlg(struct HWND__ * hWndOwner = 0x00220186, struct HICON__ * hIcon = 0x00000000, wchar_t * lpstrDirectory = 0x001680f0 "C:\Documents and Settings\Administrator", wchar_t * lpstrTitle = 0x00000000 "", wchar_t * lpstrDescription = 0x00000000 "", unsigned int uFlags = 4)+0xb1 [r:\src\apphelp\dll\win32\shell32\dialogs\dialogs.cpp @ 416]

0125ffa8 004266fc explorer!CTrayWindow::RunFileDlgThread(void)+0xb7 [r:\src\apphelp\base\shell\explorer\traywnd.cpp @ 450]

0125ffb8 7c604c9d explorer!CTrayWindow::s_RunFileDlgThread(void * pParam = 0x0013f090)+0x1c [r:\src\apphelp\base\shell\explorer\traywnd.cpp @ 460]

0125ffec 00000000 kernel32!BaseThreadStartup(<function> * lpStartAddress = 0x004266e0, void * lpParameter = 0x0013f090)+0x5d [r:\src\apphelp\dll\win32\kernel32\client\thread.c @ 46]