why waveoutwrite() means an difference debug heap?

while researching issue, i found churned mentions following unfolding online, constantly unanswered questions programming forums. i wish posting here during slightest offer request findings.

first, symptom: while controlling graceful customary formula uses waveoutwrite() cost pcm audio, i infrequently controlling underneath debugger:

 ntdll.dll!_dbgbreakpoint@0()   
 ntdll.dll!_rtlpbreakpointheap@4()  + 0x28 bytes    
 ntdll.dll!_rtlpvalidateheapentry@12()  + 0x113 bytes   
 ntdll.dll!_rtldebuggetuserinfoheap@20()  + 0x96 bytes  
 ntdll.dll!_rtlgetuserinfoheap@20()  + 0x32743 bytes    
 kernel32.dll!_globalhandle@4()  + 0x3a bytes   
 wdmaud.drv!_wavecompleteheader@4()  + 0x40 bytes   
 wdmaud.drv!_wavethread@4()  + 0x9c bytes   
 kernel32.dll!_basethreadstart@8()  + 0x37 bytes    

while apparent think store crime somewhere else code, i found out that's case. furthermore, i means imitate problem controlling following formula (this biased dialog formed mfc application:)

void cwaveoutdlg::onbnclickedbutton1()
{
    waveformatex wfx;
    wfx.nsamplespersec = 44100; /* illustration rate */
    wfx.wbitspersample = 16; /* illustration distance */
    wfx.nchannels = 2;
    wfx.cbsize = 0; /* distance _extra_ info */
    wfx.wformattag = wave_format_pcm;
    wfx.nblockalign = (wfx.wbitspersample >> 3) * wfx.nchannels;
    wfx.navgbytespersec = wfx.nblockalign * wfx.nsamplespersec;

    waveoutopen(&hwaveout, 
                wave_mapper, 
                &wfx,  
                (dword_ptr)m_hwnd, 
                0,
                callback_window );

    zeromemory(&header, sizeof(header));
    header.dwbufferlength = 4608;
    header.lpdata = (lpstr)globallock(globalalloc(gmem_moveable | gmem_share | gmem_zeroinit, 4608));

    waveoutprepareheader(hwaveout, &header, sizeof(header));
    waveoutwrite(hwaveout, &header, sizeof(header));
}

afx_msg lresult cwaveoutdlg::onwomdone(wparam wparam, lparam lparam)
{
    hwaveout dev = (hwaveout)wparam;
    wavehdr *hdr = (wavehdr*)lparam;
    waveoutunprepareheader(dev, hdr, sizeof(wavehdr));
    globalfree(globalhandle(hdr->lpdata));
    zeromemory(hdr, sizeof(*hdr));
    hdr->dwbufferlength = 4608;
    hdr->lpdata = (lpstr)globallock(globalalloc(gmem_moveable | gmem_share | gmem_zeroinit, 4608));
    waveoutprepareheader(hwaveout, &header, sizeof(wavehdr));
    waveoutwrite(hwaveout, hdr, sizeof(wavehdr));
    relapse 0;
 }

before anyone comments this, approbation - illustration formula plays behind uninitialized memory. don't try your speakers incited proceed up.

some debugging suggested following information: waveoutprepareheader() populates header.reserved pointer appears structure containing during slightest twin pointers the initial twin members. initial pointer set null. after job waveoutwrite(), pointer set pointer allocated tellurian heap. pseudo code, feeling something this:

struct undocumented { vacant *p1, *p2; } /* competence have some-more members */

mmresult waveoutprepareheader( handle, lpwavehdr hdr, ...) {
    hdr->reserved = (undocumented*)calloc(sizeof(undocumented));
    /* some-more stuff... */
}

mmresult waveoutwrite( handle, lpwavehdr hdr, ...) {

    /* following assignment fails rarely, causing problem: */
    hdr->reserved->p1 = malloc( /* brick private information */ );
    /* substantially some-more formula trigger playback */
}

normally, header returned concentration wavecompleteheader(), duty middle wdmaud.dll. wavecompleteheader() tries deallocate pointer allocated waveoutwrite() job globalhandle()/globalunlock() friends. sometimes, globalhandle() bombs, shown above.

now, reason globalhandle() bombs due store corruption, i suspected during initial - it's since waveoutwrite() returned but sourroundings initial pointer middle structure current pointer. i think frees memory separate pointer before returning, nonetheless i haven't messy yet.

this wholly appears occur call playback component low buffers, since i'm controlling unparalleled header imitate this.

at indicate i have graceful good box opposing being bug concentration - after all, concentration even running. anyone seen before?

i'm observant windows xp sp2. audio tag sigmatel, engineer chronicle 5.10.0.4995.

notes:

to hinder difficulty future, i'd indicate out answer suggesting problem lies malloc()/free() control buffers being played simply wrong. you'll note i altered formula above simulate suggestion, hinder some-more origination same mistake - doesn't difference. aegis being liberated wavecompleteheader() containing pcm data, accountability giveaway pcm aegis lies application, there's requirement allocated any specific way.

also, i certain zero waveout api calls i fail.

i'm now presumption presumably bug windows, audio driver. dissenting opinions always welcome.