https://git.reactos.org/?p=reactos.git;a=commitdiff;h=4661bc006d0e49e78b1eb… commit 4661bc006d0e49e78b1ebaee9509e078f12c70a8 Author: Timo Kreuzer <timo.kreuzer(a)reactos.org> AuthorDate: Fri Aug 18 08:35:59 2023 +0300 Commit: Timo Kreuzer <timo.kreuzer(a)reactos.org> CommitDate: Thu Sep 21 23:45:31 2023 +0300 [WIN32K] Prevent dereferencing NULL pointer Initialize a window's ThreadListEntry as an empty list on creation and only remove the window from the list on destruction, when the entry is not an empty list. Previously the window creation could fail before the list entry was initialized and the window would get destroyed after that, resulting in a NULL pointer dereference. --- win32ss/user/ntuser/window.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/win32ss/user/ntuser/window.c b/win32ss/user/ntuser/window.c index e4a7b1affd6..27881a1cdf9 100644 --- a/win32ss/user/ntuser/window.c +++ b/win32ss/user/ntuser/window.c @@ -596,7 +596,8 @@ LRESULT co_UserFreeWindow(PWND Window, /* remove the window already at this point from the thread window list so we don't get into trouble when destroying the thread windows while we're still in co_UserFreeWindow() */ - RemoveEntryList(&Window->ThreadListEntry); + if (!IsListEmpty(&Window->ThreadListEntry)) + RemoveEntryList(&Window->ThreadListEntry); BelongsToThreadData = IntWndBelongsToThread(Window, ThreadData); @@ -1917,6 +1918,7 @@ PWND FASTCALL IntCreateWindow(CREATESTRUCTW* Cs, pWnd->HideAccel = pWnd->spwndParent->HideAccel; } + InitializeListHead(&pWnd->ThreadListEntry); pWnd->head.pti->cWindows++; if (Class->spicn && !Class->spicnSm)