Author: jgardou Date: Fri Oct 24 11:34:55 2014 New Revision: 64954 URL: http://svn.reactos.org/svn/reactos?rev=64954&view=rev Log: [WIN32K] - Do not dereference hook objects when it's not needed. - Avoid use after free. CORE-8698 #resolve Modified: trunk/reactos/win32ss/user/ntuser/hook.c Modified: trunk/reactos/win32ss/user/ntuser/hook.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/hook.c… ============================================================================== --- trunk/reactos/win32ss/user/ntuser/hook.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/user/ntuser/hook.c [iso-8859-1] Fri Oct 24 11:34:55 2014 @@ -1294,12 +1294,14 @@ { Hook = CONTAINING_RECORD(pElement, HOOK, Chain); + /* Get the next element now, we might free the hook in what follows */ + pElement = Hook->Chain.Flink; + if (Hook->Proc == pfnFilterProc) { if (Hook->head.pti == pti) { IntRemoveHook(Hook); - UserDereferenceObject(Hook); return TRUE; } else @@ -1308,8 +1310,6 @@ return FALSE; } } - - pElement = Hook->Chain.Flink; } } return FALSE;