[ros-diffs] [sginsberg] 41816: - NtUserMessageCall: Fix probe-and-capture for the FNID_BROADCASTSYSTEMMESSAGE case -- win32k must copy user mode buffers to safe memory before reading from them (or wrap the operations in SEH). Copy the buffer to the stack as it is small.

Wed, 08 Jul 2009 13:42:16 -0700 

Author: sginsberg
Date: Thu Jul  9 00:41:58 2009
New Revision: 41816

URL: http://svn.reactos.org/svn/reactos?rev=41816&view=rev
Log:
- NtUserMessageCall: Fix probe-and-capture for the FNID_BROADCASTSYSTEMMESSAGE 
case -- win32k must copy user mode buffers to safe memory before reading from 
them (or wrap the operations in SEH). Copy the buffer to the stack as it is 
small.

Modified:
    trunk/reactos/subsystems/win32/win32k/ntuser/message.c

Modified: trunk/reactos/subsystems/win32/win32k/ntuser/message.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntuser/message.c?rev=41816&r1=41815&r2=41816&view=diff
==============================================================================
--- trunk/reactos/subsystems/win32/win32k/ntuser/message.c [iso-8859-1] 
(original)
+++ trunk/reactos/subsystems/win32/win32k/ntuser/message.c [iso-8859-1] Thu Jul 
 9 00:41:58 2009
@@ -2051,7 +2051,7 @@
       break;
       case FNID_BROADCASTSYSTEMMESSAGE:
       {
-         PBROADCASTPARM parm;
+         BROADCASTPARM parm;
          DWORD_PTR RetVal = 0;
 
          if (ResultInfo)
@@ -2061,7 +2061,7 @@
                ProbeForWrite((PVOID)ResultInfo,
                          sizeof(BROADCASTPARM),
                                              1);
-               parm = (PBROADCASTPARM)ResultInfo;
+               RtlCopyMemory(&parm, (PVOID)ResultInfo, sizeof(BROADCASTPARM));
             }
             _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
             {
@@ -2073,15 +2073,15 @@
          else
            break;
 
-         if ( parm->recipients & BSM_ALLDESKTOPS ||
-              parm->recipients == BSM_ALLCOMPONENTS )
-         {
-         }
-         else if (parm->recipients & BSM_APPLICATIONS)
-         {
-            if (parm->flags & BSF_QUERY)
+         if ( parm.recipients & BSM_ALLDESKTOPS ||
+              parm.recipients == BSM_ALLCOMPONENTS )
+         {
+         }
+         else if (parm.recipients & BSM_APPLICATIONS)
+         {
+            if (parm.flags & BSF_QUERY)
             {
-               if (parm->flags & BSF_FORCEIFHUNG || parm->flags & BSF_NOHANG)
+               if (parm.flags & BSF_FORCEIFHUNG || parm.flags & BSF_NOHANG)
                {
                   co_IntSendMessageTimeout( HWND_BROADCAST,
                                             Msg,
@@ -2091,7 +2091,7 @@
                                             2000,
                                             &RetVal);
                }
-               else if (parm->flags & BSF_NOTIMEOUTIFNOTHUNG)
+               else if (parm.flags & BSF_NOTIMEOUTIFNOTHUNG)
                {
                   co_IntSendMessageTimeout( HWND_BROADCAST,
                                             Msg,
@@ -2112,11 +2112,11 @@
                                             &RetVal);
                }
             }
-            else if (parm->flags & BSF_POSTMESSAGE)
+            else if (parm.flags & BSF_POSTMESSAGE)
             {
                Ret = UserPostMessage(HWND_BROADCAST, Msg, wParam, lParam);
             }
-            else if ( parm->flags & BSF_SENDNOTIFYMESSAGE)
+            else if ( parm.flags & BSF_SENDNOTIFYMESSAGE)
             {
                Ret = UserSendNotifyMessage(HWND_BROADCAST, Msg, wParam, 
lParam);
             }

Reply via email to