Author: tkreuzer Date: Tue Aug 3 21:36:39 2010 New Revision: 48437
URL: http://svn.reactos.org/svn/reactos?rev=48437&view=rev Log: [WIN32K] Protect access to the result pointer from KeUserModeCallback with SEH. Fixes a possible kernel mode crash.
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/callback.c
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/callback.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntu... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/ntuser/callback.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/ntuser/callback.c [iso-8859-1] Tue Aug 3 21:36:39 2010 @@ -267,7 +267,16 @@ if (NT_SUCCESS(Status)) { /* Simulate old behaviour: copy into our local buffer */ - Result = *(LRESULT*)ResultPointer; + _SEH2_TRY + { + ProbeForRead(ResultPointer, sizeof(LRESULT), 1); + Result = *(LRESULT*)ResultPointer; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + Result = 0; + } + _SEH2_END }
UserEnterCo();