https://git.reactos.org/?p=reactos.git;a=commitdiff;h=44e1d875963adf4521790b36229950175c5af213
commit 44e1d875963adf4521790b36229950175c5af213 Author: Hermès Bélusca-Maïto <[email protected]> AuthorDate: Thu May 18 22:47:26 2023 +0200 Commit: Hermès Bélusca-Maïto <[email protected]> CommitDate: Sun May 21 19:35:19 2023 +0200 [USER32] RegisterClassExWOWW/ExA: NULL or IS_ATOM class are treated the same. (#5291) CORE-18978 Fixes NULL pointer access when e.g. class.lpszClassName == NULL and the class is registered. The RegisterClass(ExA/W/...) should return 0 instead of throwing an invalid access exception. However, providing an invalid pointer will trigger a crash. --- win32ss/user/user32/windows/class.c | 57 ++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 30 deletions(-) diff --git a/win32ss/user/user32/windows/class.c b/win32ss/user/user32/windows/class.c index df11d1692f1..6abaf350bc1 100644 --- a/win32ss/user/user32/windows/class.c +++ b/win32ss/user/user32/windows/class.c @@ -1310,32 +1310,28 @@ RegisterClassExWOWW(WNDCLASSEXW *lpwcx, RtlCopyMemory(&WndClass, lpwcx, sizeof(*lpwcx)); RtlInitEmptyAnsiString(&AnsiMenuName, NULL, 0); - if (WndClass.lpszMenuName != NULL) + if (!IS_INTRESOURCE(WndClass.lpszMenuName)) { - if (!IS_INTRESOURCE(WndClass.lpszMenuName)) + if (WndClass.lpszMenuName[0]) { - if (WndClass.lpszMenuName[0]) - { - RtlInitUnicodeString(&MenuName, WndClass.lpszMenuName); - RtlUnicodeStringToAnsiString( &AnsiMenuName, &MenuName, TRUE); - } - } - else - { - MenuName.Buffer = (LPWSTR)WndClass.lpszMenuName; - AnsiMenuName.Buffer = (PCHAR)WndClass.lpszMenuName; + RtlInitUnicodeString(&MenuName, WndClass.lpszMenuName); + RtlUnicodeStringToAnsiString(&AnsiMenuName, &MenuName, TRUE); } } + else + { + MenuName.Buffer = (LPWSTR)WndClass.lpszMenuName; + AnsiMenuName.Buffer = (PCHAR)WndClass.lpszMenuName; + } - if (IS_ATOM(WndClass.lpszClassName)) + if (WndClass.lpszClassName && !IS_ATOM(WndClass.lpszClassName)) { - ClassName.Length = - ClassName.MaximumLength = 0; - ClassName.Buffer = (LPWSTR)WndClass.lpszClassName; + RtlInitUnicodeString(&ClassName, WndClass.lpszClassName); } else { - RtlInitUnicodeString(&ClassName, WndClass.lpszClassName); + ClassName.Length = ClassName.MaximumLength = 0; + ClassName.Buffer = (LPWSTR)WndClass.lpszClassName; } ClassVersion = ClassName; @@ -1373,35 +1369,36 @@ RegisterClassExWOWW(WNDCLASSEXW *lpwcx, ATOM WINAPI RegisterClassExA(CONST WNDCLASSEXA *lpwcx) { - RTL_ATOM Atom; + ATOM Atom; WNDCLASSEXW WndClass; WCHAR mname[MAX_BUFFER_LEN]; WCHAR cname[MAX_BUFFER_LEN]; + C_ASSERT(sizeof(WndClass) == sizeof(*lpwcx)); + RtlCopyMemory(&WndClass, lpwcx, sizeof(*lpwcx)); - if (WndClass.lpszMenuName != NULL) + if (WndClass.lpszMenuName && !IS_INTRESOURCE(WndClass.lpszMenuName)) { - if (!IS_INTRESOURCE(WndClass.lpszMenuName)) + if (WndClass.lpszMenuName[0]) { - if (WndClass.lpszMenuName[0]) - { - if (!MultiByteToWideChar( CP_ACP, 0, lpwcx->lpszMenuName, -1, mname, MAX_ATOM_LEN + 1 )) return 0; + if (!MultiByteToWideChar(CP_ACP, 0, lpwcx->lpszMenuName, -1, mname, MAX_ATOM_LEN + 1 )) + return 0; - WndClass.lpszMenuName = mname; - } + WndClass.lpszMenuName = mname; } } - if (!IS_ATOM(WndClass.lpszClassName)) + if (WndClass.lpszClassName && !IS_ATOM(WndClass.lpszClassName)) { - if (!MultiByteToWideChar( CP_ACP, 0, lpwcx->lpszClassName, -1, cname, MAX_ATOM_LEN + 1 )) return 0; + if (!MultiByteToWideChar(CP_ACP, 0, lpwcx->lpszClassName, -1, cname, MAX_ATOM_LEN + 1 )) + return 0; WndClass.lpszClassName = cname; } Atom = RegisterClassExWOWW(&WndClass, - 0, + NULL, 0, CSF_ANSIPROC, TRUE); @@ -1410,7 +1407,7 @@ RegisterClassExA(CONST WNDCLASSEXA *lpwcx) Atom, lpwcx->lpfnWndProc, lpwcx->hInstance, lpwcx->hbrBackground, lpwcx->style, lpwcx->cbClsExtra, lpwcx->cbWndExtra, WndClass); - return (ATOM)Atom; + return Atom; } /* @@ -1421,7 +1418,7 @@ RegisterClassExW(CONST WNDCLASSEXW *lpwcx) { ATOM Atom; - Atom = RegisterClassExWOWW((WNDCLASSEXW *)lpwcx, 0, 0, 0, TRUE); + Atom = RegisterClassExWOWW((WNDCLASSEXW *)lpwcx, NULL, 0, 0, TRUE); TRACE("W atom=%04x wndproc=%p hinst=%p bg=%p style=%08x clsExt=%d winExt=%d\n", Atom, lpwcx->lpfnWndProc, lpwcx->hInstance, lpwcx->hbrBackground,
