Author: tfaber Date: Fri Feb 13 10:11:50 2015 New Revision: 66243
URL: http://svn.reactos.org/svn/reactos?rev=66243&view=rev Log: [WIN32K:NTUSER] - Assert sanity of object reference counts in UserReferenceObject, UserDereferenceObject and UserDeleteObject. If you hit a cLockObj < 0x10000 assertion failure, you found yourself a use after free (RtlFreeHeap will put a LIST_ENTRY in this location, so a freed item has a kernel pointer there). See CORE-8703 for an example.
Modified: trunk/reactos/win32ss/user/ntuser/object.c
Modified: trunk/reactos/win32ss/user/ntuser/object.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/object.... ============================================================================== --- trunk/reactos/win32ss/user/ntuser/object.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/user/ntuser/object.c [iso-8859-1] Fri Feb 13 10:11:50 2015 @@ -586,9 +586,10 @@ FASTCALL UserDereferenceObject(PVOID Object) { - PHEAD ObjHead = (PHEAD)Object; + PHEAD ObjHead = Object;
ASSERT(ObjHead->cLockObj >= 1); + ASSERT(ObjHead->cLockObj < 0x10000);
if (--ObjHead->cLockObj == 0) { @@ -663,6 +664,7 @@ if (!body) return FALSE;
ASSERT( ((PHEAD)body)->cLockObj >= 1); + ASSERT( ((PHEAD)body)->cLockObj < 0x10000);
return UserFreeHandle(gHandleTable, h); } @@ -671,9 +673,11 @@ FASTCALL UserReferenceObject(PVOID obj) { - ASSERT(((PHEAD)obj)->cLockObj >= 0); - - ((PHEAD)obj)->cLockObj++; + PHEAD ObjHead = obj; + ASSERT(ObjHead->cLockObj >= 0); + ASSERT(ObjHead->cLockObj < 0x10000); + + ObjHead->cLockObj++; }
PVOID