[ros-diffs] [reactos] 01/01: [NtUser] Fix Crash in Win32k

18 Jun 2020

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=06e01c8968fe7ca25d044…
commit 06e01c8968fe7ca25d0449b0021d7ed055f6082c
Author:     James Tabor &lt;james.tabor(a)reactos.org&gt;
AuthorDate: Thu Jun 18 11:06:31 2020 -0500
Commit:     James Tabor &lt;james.tabor(a)reactos.org&gt;
CommitDate: Thu Jun 18 11:06:31 2020 -0500
    [NtUser] Fix Crash in Win32k
    Use strict thread and desktop verifying. See CORE-15092 and CORE-17133.
---
 win32ss/user/ntuser/misc.c | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/win32ss/user/ntuser/misc.c b/win32ss/user/ntuser/misc.c
index 72706fa7f84..196ea416e79 100644
--- a/win32ss/user/ntuser/misc.c
+++ b/win32ss/user/ntuser/misc.c
@@ -377,8 +377,7 @@ NtUserGetGUIThreadInfo(
    GUITHREADINFO SafeGui;
    PDESKTOP Desktop;
    PUSER_MESSAGE_QUEUE MsgQueue;
-   PTHREADINFO W32Thread;
-   PETHREAD Thread = NULL;
+   PTHREADINFO W32Thread, pti;
    DECLARE_RETURN(BOOLEAN);
@@ -400,23 +399,26 @@ NtUserGetGUIThreadInfo(
    if (idThread)
    {
-      Status = PsLookupThreadByThreadId((HANDLE)(DWORD_PTR)idThread, &Thread);
-      if(!NT_SUCCESS(Status))
+      pti = PsGetCurrentThreadWin32Thread();
+
+      // Validate Tread ID
+      W32Thread = IntTID2PTI((HANDLE)idThread);
+
+      if ( !W32Thread )
       {
-         EngSetLastError(ERROR_ACCESS_DENIED);
-         RETURN( FALSE);
+          EngSetLastError(ERROR_ACCESS_DENIED);
+          RETURN( FALSE);
       }
-      W32Thread = (PTHREADINFO)Thread->Tcb.Win32Thread;
+
       Desktop = W32Thread->rpdesk;
-      if (!Thread || !Desktop )
+      // Check Desktop and it must be the same as current.
+      if ( !Desktop || Desktop != pti->rpdesk )
       {
-        if(Thread)
-           ObDereferenceObject(Thread);
-        EngSetLastError(ERROR_ACCESS_DENIED);
-        RETURN( FALSE);
+          EngSetLastError(ERROR_ACCESS_DENIED);
+          RETURN( FALSE);
       }
-
+
       if ( W32Thread->MessageQueue )
         MsgQueue = W32Thread->MessageQueue;
       else
@@ -480,9 +482,6 @@ NtUserGetGUIThreadInfo(
    SafeGui.rcCaret.right = SafeGui.rcCaret.left + CaretInfo->Size.cx;
    SafeGui.rcCaret.bottom = SafeGui.rcCaret.top + CaretInfo->Size.cy;
-   if (idThread)
-      ObDereferenceObject(Thread);
-
    Status = MmCopyToCaller(lpgui, &SafeGui, sizeof(GUITHREADINFO));
    if(!NT_SUCCESS(Status))
    {
    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [reactos] 01/01: [NtUser] Fix Crash in Win32k