13 Feb
2015
13 Feb
'15
10:11 a.m.
Author: tfaber
Date: Fri Feb 13 10:11:50 2015
New Revision: 66243
URL: http://svn.reactos.org/svn/reactos?rev=66243&view=rev
Log:
[WIN32K:NTUSER]
- Assert sanity of object reference counts in UserReferenceObject, UserDereferenceObject
and UserDeleteObject. If you hit a cLockObj < 0x10000 assertion failure, you found
yourself a use after free (RtlFreeHeap will put a LIST_ENTRY in this location, so a freed
item has a kernel pointer there).
See CORE-8703 for an example.
Modified:
trunk/reactos/win32ss/user/ntuser/object.c
Modified: trunk/reactos/win32ss/user/ntuser/object.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/object…
==============================================================================
--- trunk/reactos/win32ss/user/ntuser/object.c [iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/object.c [iso-8859-1] Fri Feb 13 10:11:50 2015
@@ -586,9 +586,10 @@
FASTCALL
UserDereferenceObject(PVOID Object)
{
- PHEAD ObjHead = (PHEAD)Object;
+ PHEAD ObjHead = Object;
ASSERT(ObjHead->cLockObj >= 1);
+ ASSERT(ObjHead->cLockObj < 0x10000);
if (--ObjHead->cLockObj == 0)
{
@@ -663,6 +664,7 @@
if (!body) return FALSE;
ASSERT( ((PHEAD)body)->cLockObj >= 1);
+ ASSERT( ((PHEAD)body)->cLockObj < 0x10000);
return UserFreeHandle(gHandleTable, h);
}
@@ -671,9 +673,11 @@
FASTCALL
UserReferenceObject(PVOID obj)
{
- ASSERT(((PHEAD)obj)->cLockObj >= 0);
-
- ((PHEAD)obj)->cLockObj++;
+ PHEAD ObjHead = obj;
+ ASSERT(ObjHead->cLockObj >= 0);
+ ASSERT(ObjHead->cLockObj < 0x10000);
+
+ ObjHead->cLockObj++;
}
PVOID