Author: jimtabor
Date: Wed Nov 19 05:35:33 2014
New Revision: 65431
URL: http://svn.reactos.org/svn/reactos?rev=65431&view=rev
Log:
[NtUser]
- Fix Process Explorer crash in Win32k. See CORE-8779 and CORE-7447.
Modified:
trunk/reactos/win32ss/user/ntuser/message.c
Modified: trunk/reactos/win32ss/user/ntuser/message.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/message.c?rev=65431&r1=65430&r2=65431&view=diff
==============================================================================
--- trunk/reactos/win32ss/user/ntuser/message.c [iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/message.c [iso-8859-1] Wed Nov 19
05:35:33 2014
@@ -213,7 +213,10 @@
break;
case WM_COPYDATA:
- Size = sizeof(COPYDATASTRUCT) +
((PCOPYDATASTRUCT)lParam)->cbData;
+ {
+ COPYDATASTRUCT *cds = (COPYDATASTRUCT *)lParam;
+ Size = sizeof(COPYDATASTRUCT) + cds->cbData;
+ }
break;
default:
@@ -472,6 +475,9 @@
NTSTATUS Status;
PMSGMEMORY MsgMemoryEntry;
UINT Size;
+ PTHREADINFO pti;
+
+ pti = PsGetCurrentThreadWin32Thread();
/* See if this message type is present in the table */
MsgMemoryEntry = FindMsgMemory(UserModeMsg->message);
@@ -486,6 +492,7 @@
if (0 != Size)
{
+ PWND pWnd = ValidateHwndNoErr(KernelModeMsg->hwnd);
/* Copy data if required */
if (0 != (MsgMemoryEntry->Flags & MMS_FLAG_WRITE))
{
@@ -497,7 +504,12 @@
return Status;
}
}
-
+ if (pWnd && KernelModeMsg->message == WM_COPYDATA)
+ {
+ // Only the current process or thread can free the message lParam
pointer.
+ if (pWnd->head.pti->MessageQueue != pti->MessageQueue)
+ return STATUS_SUCCESS;
+ }
ExFreePool((PVOID) KernelModeMsg->lParam);
}
@@ -1415,6 +1427,10 @@
CLEANUP:
if (Window) UserDerefObjectCo(Window);
+ if ( !ptiSendTo && Msg == WM_COPYDATA )
+ {
+ ExFreePool((PVOID) lParam);
+ }
END_CLEANUP;
}
