https://git.reactos.org/?p=reactos.git;a=commitdiff;h=cfeb498e4f2ed0eaef6d29cd4332c60120347b10
commit cfeb498e4f2ed0eaef6d29cd4332c60120347b10 Author: Katayama Hirofumi MZ <[email protected]> AuthorDate: Thu Mar 3 09:43:05 2022 +0900 Commit: GitHub <[email protected]> CommitDate: Thu Mar 3 09:43:05 2022 +0900 [NTUSER][IMM32] Fix ValidateHandleNoErr (#4377) - Add DesktopPtrToUser helper function. - Fix imm32.ValidateHandleNoErr function. - Use DesktopHeapAlloc to allocate the IMC, instead of ExAllocatePoolWithTag. - Use DesktopHeapFree to free the IMC, instead of ExFreePoolWithTag. CORE-11700, CORE-18049 --- dll/win32/imm32/utils.c | 27 ++++++++++++++++++++++++--- win32ss/user/ntuser/ime.c | 11 ++++++++--- 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/dll/win32/imm32/utils.c b/dll/win32/imm32/utils.c index 8c3d8ad3c11..e96f80528ae 100644 --- a/dll/win32/imm32/utils.c +++ b/dll/win32/imm32/utils.c @@ -149,12 +149,26 @@ VOID APIENTRY LogFontWideToAnsi(const LOGFONTW *plfW, LPLOGFONTA plfA) plfA->lfFaceName[cch] = 0; } +static PVOID FASTCALL DesktopPtrToUser(PVOID ptr) +{ + PCLIENTINFO pci = GetWin32ClientInfo(); + PDESKTOPINFO pdi = pci->pDeskInfo; + + ASSERT(ptr != NULL); + ASSERT(pdi != NULL); + if (pdi->pvDesktopBase <= ptr && ptr < pdi->pvDesktopLimit) + return (PVOID)((ULONG_PTR)ptr - pci->ulClientDelta); + else + return (PVOID)NtUserCallOneParam((DWORD_PTR)ptr, ONEPARAM_ROUTINE_GETDESKTOPMAPPING); +} + LPVOID FASTCALL ValidateHandleNoErr(HANDLE hObject, UINT uType) { - INT index; + UINT index; PUSER_HANDLE_TABLE ht; PUSER_HANDLE_ENTRY he; WORD generation; + LPVOID ptr; if (!NtUserValidateHandleSecure(hObject)) return NULL; @@ -166,14 +180,21 @@ LPVOID FASTCALL ValidateHandleNoErr(HANDLE hObject, UINT uType) he = (PUSER_HANDLE_ENTRY)((ULONG_PTR)ht->handles - g_SharedInfo.ulSharedDelta); index = (LOWORD(hObject) - FIRST_USER_HANDLE) >> 1; - if (index < 0 || ht->nb_handles <= index || he[index].type != uType) + if ((INT)index < 0 || ht->nb_handles <= index || he[index].type != uType) + return NULL; + + if (he[index].flags & HANDLEENTRY_DESTROY) return NULL; generation = HIWORD(hObject); if (generation != he[index].generation && generation && generation != 0xFFFF) return NULL; - return &he[index]; + ptr = he[index].ptr; + if (ptr) + ptr = DesktopPtrToUser(ptr); + + return ptr; } PWND FASTCALL ValidateHwndNoErr(HWND hwnd) diff --git a/win32ss/user/ntuser/ime.c b/win32ss/user/ntuser/ime.c index f29f4e4cfa4..124e5667c88 100644 --- a/win32ss/user/ntuser/ime.c +++ b/win32ss/user/ntuser/ime.c @@ -1200,7 +1200,10 @@ AllocInputContextObject(PDESKTOP pDesk, ASSERT(Size > sizeof(*ObjHead)); ASSERT(pti != NULL); - ObjHead = ExAllocatePoolWithTag(PagedPool, Size, USERTAG_IME); + if (!pDesk) + pDesk = pti->rpdesk; + + ObjHead = DesktopHeapAlloc(pDesk, Size); if (!ObjHead) return NULL; @@ -1218,6 +1221,8 @@ AllocInputContextObject(PDESKTOP pDesk, VOID UserFreeInputContext(PVOID Object) { + PTHRDESKHEAD ObjHead = Object; + PDESKTOP pDesk = ObjHead->rpdesk; PIMC pIMC = Object, *ppIMC; PTHREADINFO pti; @@ -1235,7 +1240,7 @@ VOID UserFreeInputContext(PVOID Object) } } - ExFreePoolWithTag(pIMC, USERTAG_IME); + DesktopHeapFree(pDesk, Object); pti->ppi->UserHandleCount--; IntDereferenceThreadInfo(pti); @@ -1250,7 +1255,7 @@ BOOLEAN UserDestroyInputContext(PVOID Object) UserMarkObjectDestroy(pIMC); - return UserDeleteObject(pIMC->head.h, TYPE_INPUTCONTEXT); + return UserDeleteObject(UserHMGetHandle(pIMC), TYPE_INPUTCONTEXT); } BOOL NTAPI NtUserDestroyInputContext(HIMC hIMC)
