Author: jimtabor Date: Wed Nov 19 05:35:33 2014 New Revision: 65431 URL: http://svn.reactos.org/svn/reactos?rev=65431&view=rev Log: [NtUser] - Fix Process Explorer crash in Win32k. See CORE-8779 and CORE-7447. Modified: trunk/reactos/win32ss/user/ntuser/message.c Modified: trunk/reactos/win32ss/user/ntuser/message.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/messag… ============================================================================== --- trunk/reactos/win32ss/user/ntuser/message.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/user/ntuser/message.c [iso-8859-1] Wed Nov 19 05:35:33 2014 @@ -213,7 +213,10 @@ break; case WM_COPYDATA: - Size = sizeof(COPYDATASTRUCT) + ((PCOPYDATASTRUCT)lParam)->cbData; + { + COPYDATASTRUCT *cds = (COPYDATASTRUCT *)lParam; + Size = sizeof(COPYDATASTRUCT) + cds->cbData; + } break; default: @@ -472,6 +475,9 @@ NTSTATUS Status; PMSGMEMORY MsgMemoryEntry; UINT Size; + PTHREADINFO pti; + + pti = PsGetCurrentThreadWin32Thread(); /* See if this message type is present in the table */ MsgMemoryEntry = FindMsgMemory(UserModeMsg->message); @@ -486,6 +492,7 @@ if (0 != Size) { + PWND pWnd = ValidateHwndNoErr(KernelModeMsg->hwnd); /* Copy data if required */ if (0 != (MsgMemoryEntry->Flags & MMS_FLAG_WRITE)) { @@ -497,7 +504,12 @@ return Status; } } - + if (pWnd && KernelModeMsg->message == WM_COPYDATA) + { + // Only the current process or thread can free the message lParam pointer. + if (pWnd->head.pti->MessageQueue != pti->MessageQueue) + return STATUS_SUCCESS; + } ExFreePool((PVOID) KernelModeMsg->lParam); } @@ -1415,6 +1427,10 @@ CLEANUP: if (Window) UserDerefObjectCo(Window); + if ( !ptiSendTo && Msg == WM_COPYDATA ) + { + ExFreePool((PVOID) lParam); + } END_CLEANUP; }