Please have a look at that code:
NtGdiCreateCompatibleDC @ 192:
...
hNewDC = DC_AllocDC(&OrigDC->DriverName);
if (NULL == hNewDC)
{
DC_UnlockDc(OrigDC);
if (NULL != DisplayDC)
{
NtGdiDeleteObjectApp(DisplayDC);
}
return NULL;
}
NewDC = DC_LockDc( hNewDC );
...
I am not completely sure (GreatLord said it was fine) but i think it
might not be.
Let's think of a condition when process x, thread 0 does try call
NtGdiCreateCompatibleDC and Allocates the DC.
Wouldn't there be the chance of thread 1 to get a lock on the DC (by
guessing it's handle) just after it was created and make DC_LockDC
return NULL?
GDIOBJ_LockObj checks if the ProcessID is the same as
PsGetCurrentProcessId() , but not more.
So I think a second thread might do a timed attack and get a lock on
the just created DC.