New subject: [ros-diffs] [mjmartin] 47393: [win32k] - The timer is created usingUserCreateObject. It may be a good idea to save the handle in the timer object so that it can be deleted later. - Dereference the object before attempting to delete it.

30 May 2010

There's no lock on the list access.
On 29 May 2010 07:51, mjmartin@svn.reactos.org wrote:
...
Author: mjmartin
Date: Sat May 29 08:51:03 2010
New Revision: 47393
URL: http://svn.reactos.org/svn/reactos?rev=47393&view=rev
Log:
[win32k]

The timer is created usingUserCreateObject. It may be a good idea to save

the handle in the timer object so that it can be deleted later.

Dereference the object before attempting to delete it.

Modified:
   trunk/reactos/subsystems/win32/win32k/ntuser/timer.c
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/timer.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntu...
==============================================================================

--- trunk/reactos/subsystems/win32/win32k/ntuser/timer.c [iso-8859-1]
(original)
+++ trunk/reactos/subsystems/win32/win32k/ntuser/timer.c [iso-8859-1] Sat
May 29 08:51:03 2010
@@ -50,13 +50,21 @@
  if (!FirstpTmr)
  {
      FirstpTmr = UserCreateObject(gHandleTable, NULL, &Handle, otTimer,
sizeof(TIMER));

 if (FirstpTmr) InitializeListHead(&FirstpTmr->ptmrList);




 if (FirstpTmr)


 {


    FirstpTmr->head.h = Handle;


    InitializeListHead(&FirstpTmr->ptmrList);


 }
Ret = FirstpTmr;

}
else
{
    Ret = UserCreateObject(gHandleTable, NULL, &Handle, otTimer,

sizeof(TIMER));

 if (Ret) InsertTailList(&FirstpTmr->ptmrList, &Ret->ptmrList);




 if (Ret)


 {


    Ret->head.h = Handle;


    InsertTailList(&FirstpTmr->ptmrList, &Ret->ptmrList);


 }

}
return Ret;

}
@@ -66,14 +74,17 @@
 FASTCALL
 RemoveTimer(PTIMER pTmr)
 {

BOOL Ret = FALSE;
if (pTmr)
{
  /* Set the flag, it will be removed when ready */
  RemoveEntryList(&pTmr->ptmrList);


UserDeleteObject( UserHMGetHandle(pTmr), otTimer);


return TRUE;


}
return FALSE;


UserDereferenceObject(pTmr);


Ret = UserDeleteObject( UserHMGetHandle(pTmr), otTimer);


}
if (!Ret) DPRINT1("Warning unable to delete timer\n");

return Ret;

}
PTIMER
@@ -528,9 +539,7 @@
   {
      if ((pTmr) && (pTmr->pti == pti) && (pTmr->pWnd == Window))
      {

    RemoveEntryList(&pTmr->ptmrList);


    UserDeleteObject( UserHMGetHandle(pTmr), otTimer);


    TimersRemoved = TRUE;




    TimersRemoved = RemoveTimer(pTmr);
}
pLE = pTmr->ptmrList.Flink;
pTmr = CONTAINING_RECORD(pLE, TIMER, ptmrList);



@@ -557,9 +566,7 @@
   {
      if ((pTmr) && (pTmr->pti == pti))
      {

    RemoveEntryList(&pTmr->ptmrList);


    UserDeleteObject( UserHMGetHandle(pTmr), otTimer);


    TimersRemoved = TRUE;




    TimersRemoved = RemoveTimer(pTmr);
}
pLE = pTmr->ptmrList.Flink;
pTmr = CONTAINING_RECORD(pLE, TIMER, ptmrList);







    

Re: [ros-dev] [ros-diffs] [mjmartin] 47393: [win32k] - The timer is created usingUserCreateObject. It may be a good idea to save the handle in the timer object so that it can be deleted later. - Dereference the object before attempting to delete it.