https://git.reactos.org/?p=reactos.git;a=commitdiff;h=08b9354ff34f365776543…
commit 08b9354ff34f3657765433736b6635021caa4716
Author: Timo Kreuzer <timo.kreuzer(a)reactos.org>
AuthorDate: Tue Sep 19 20:26:19 2023 +0300
Commit: Timo Kreuzer <timo.kreuzer(a)reactos.org>
CommitDate: Sun Oct 20 09:35:14 2024 +0300
[WIN32K/USER] Fix callout object referencing in co_IntUpdateWindows
Move UserRefObjectCo, so that it covers co_IntSendMessage as well.
This caused a use-after-free during testing.
---
win32ss/user/ntuser/painting.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/win32ss/user/ntuser/painting.c b/win32ss/user/ntuser/painting.c
index e813d25185d..6edf47699fc 100644
--- a/win32ss/user/ntuser/painting.c
+++ b/win32ss/user/ntuser/painting.c
@@ -519,6 +519,7 @@ VOID FASTCALL
co_IntUpdateWindows(PWND Wnd, ULONG Flags, BOOL Recurse)
{
HWND hWnd = UserHMGetHandle(Wnd);
+ USER_REFERENCE_ENTRY Ref;
if ( Wnd->hrgnUpdate != NULL || Wnd->state & WNDS_INTERNALPAINT )
{
@@ -542,15 +543,15 @@ co_IntUpdateWindows(PWND Wnd, ULONG Flags, BOOL Recurse)
Wnd->state &= ~WNDS_UPDATEDIRTY;
Wnd->state2 |= WNDS2_WMPAINTSENT;
+
+ UserRefObjectCo(Wnd, &Ref);
co_IntSendMessage(hWnd, WM_PAINT, 0, 0);
if (Wnd->state & WNDS_PAINTNOTPROCESSED)
{
- USER_REFERENCE_ENTRY Ref;
- UserRefObjectCo(Wnd, &Ref);
co_IntPaintWindows(Wnd, RDW_NOCHILDREN, FALSE);
- UserDerefObjectCo(Wnd);
}
+ UserDerefObjectCo(Wnd);
}
// Force flags as a toggle. Fixes msg:test_paint_messages:WmChildPaintNc.