That's a bit** of a hack. Either the code holds a reference and needs to release it or not. cLockObj is a private field and code outside of UserReference* should not be allowed to access it.

Thanks!
-Thomas

** actually it's a pretty big hack

On May 28, 2015 12:13:03 AM CEST, jimtabor@svn.reactos.org wrote:
Author: jimtabor
Date: Wed May 27 22:13:03 2015
New Revision: 67937

URL: http://svn.reactos.org/svn/reactos?rev=67937&view=rev
Log:
[NtUser]
- De-reference global cursor. See CORE-8305.

Modified:
    trunk/reactos/win32ss/user/ntuser/cursoricon.c

Modified: trunk/reactos/win32ss/user/ntuser/cursoricon.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/cursoricon.c?rev=67937&r1=67936&r2=67937&view=diff

--- trunk/reactos/win32ss/user/ntuser/cursoricon.c [iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/cursoricon.c [iso-8859-1] Wed May 27 22:13:03 2015
@@ -1077,6 +1077,12 @@
         if
(pcurOld->CURSORF_flags & CURSORF_GLOBAL)
         {
            TRACE("Returning Global Cursor hcur %p\n",hOldCursor);
+
+           if (pcurOld->head.cLockObj > 2) // Throttle down to 2.
+           {
+              UserDereferenceObject(pcurOld);
+           }
+
            goto leave;
         }



--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.