Author: jimtabor Date: Wed Nov 19 05:35:33 2014 New Revision: 65431

URL: http://svn.reactos.org/svn/reactos?rev=65431&view=rev Log: [NtUser] - Fix Process Explorer crash in Win32k. See CORE-8779 and CORE-7447.

Modified: trunk/reactos/win32ss/user/ntuser/message.c

Modified: trunk/reactos/win32ss/user/ntuser/message.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/message... ============================================================================== --- trunk/reactos/win32ss/user/ntuser/message.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/user/ntuser/message.c [iso-8859-1] Wed Nov 19 05:35:33 2014 @@ -213,7 +213,10 @@ break;

case WM_COPYDATA: - Size = sizeof(COPYDATASTRUCT) + ((PCOPYDATASTRUCT)lParam)->cbData; + { + COPYDATASTRUCT *cds = (COPYDATASTRUCT *)lParam; + Size = sizeof(COPYDATASTRUCT) + cds->cbData; + } break;

default: @@ -472,6 +475,9 @@ NTSTATUS Status; PMSGMEMORY MsgMemoryEntry; UINT Size; + PTHREADINFO pti; + + pti = PsGetCurrentThreadWin32Thread();

/* See if this message type is present in the table */ MsgMemoryEntry = FindMsgMemory(UserModeMsg->message); @@ -486,6 +492,7 @@

if (0 != Size) { + PWND pWnd = ValidateHwndNoErr(KernelModeMsg->hwnd); /* Copy data if required */ if (0 != (MsgMemoryEntry->Flags & MMS_FLAG_WRITE)) { @@ -497,7 +504,12 @@ return Status; } } - + if (pWnd && KernelModeMsg->message == WM_COPYDATA) + { + // Only the current process or thread can free the message lParam pointer. + if (pWnd->head.pti->MessageQueue != pti->MessageQueue) + return STATUS_SUCCESS; + } ExFreePool((PVOID) KernelModeMsg->lParam); }

@@ -1415,6 +1427,10 @@

CLEANUP: if (Window) UserDerefObjectCo(Window); + if ( !ptiSendTo && Msg == WM_COPYDATA ) + { + ExFreePool((PVOID) lParam); + } END_CLEANUP; }