[tfaber] 75014: [WIN32K:NTUSER] - Add a hack to avoid doubly freeing a DCE in IntDestroyClass. Since we don't implement W32PF_OWNDCCLEANUP and always free DCEs unconditionally in DceFreeDCE, it is ... - Ros-diffs

12 Jun 2017

Author: tfaber
Date: Mon Jun 12 19:37:58 2017
New Revision: 75014

URL: http://svn.reactos.org/svn/reactos?rev=75014&view=rev
Log:
[WIN32K:NTUSER]
- Add a hack to avoid doubly freeing a DCE in IntDestroyClass. Since we don't
implement W32PF_OWNDCCLEANUP and always free DCEs unconditionally in DceFreeDCE, it is not
safe to access the class DCE here (and probably other places) since it could have been
deleted by a dying thread.
CORE-13415 #resolve

Modified:
    trunk/reactos/win32ss/user/ntuser/class.c
    trunk/reactos/win32ss/user/ntuser/dce.h
    trunk/reactos/win32ss/user/ntuser/windc.c

Modified: trunk/reactos/win32ss/user/ntuser/class.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/class.…
==============================================================================

--- trunk/reactos/win32ss/user/ntuser/class.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/class.c	[iso-8859-1] Mon Jun 12 19:37:58 2017
@@ -261,7 +261,7 @@
 
         if (Class->pdce)
         {
-           DceFreeClassDCE(((PDCE)Class->pdce)->hDC);
+           DceFreeClassDCE(Class->pdce);
            Class->pdce = NULL;
         }
 

Modified: trunk/reactos/win32ss/user/ntuser/dce.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/dce.h?…
==============================================================================
--- trunk/reactos/win32ss/user/ntuser/dce.h	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/dce.h	[iso-8859-1] Mon Jun 12 19:37:58 2017
@@ -47,7 +47,7 @@
 void FASTCALL DceFreeDCE(PDCE dce, BOOLEAN Force);
 void FASTCALL DceEmptyCache(void);
 VOID FASTCALL DceResetActiveDCEs(PWND Window);
-void FASTCALL DceFreeClassDCE(HDC);
+void FASTCALL DceFreeClassDCE(PDCE);
 HWND FASTCALL UserGethWnd(HDC,PWNDOBJ*);
 void FASTCALL DceFreeWindowDCE(PWND);
 void FASTCALL DceFreeThreadDCE(PTHREADINFO);

Modified: trunk/reactos/win32ss/user/ntuser/windc.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/windc.…
==============================================================================
--- trunk/reactos/win32ss/user/ntuser/windc.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/windc.c	[iso-8859-1] Mon Jun 12 19:37:58 2017
@@ -766,7 +766,7 @@
 }
 
 void FASTCALL
-DceFreeClassDCE(HDC hDC)
+DceFreeClassDCE(PDCE pdceClass)
 {
    PDCE pDCE;
    PLIST_ENTRY ListEntry;
@@ -776,7 +776,7 @@
    {
        pDCE = CONTAINING_RECORD(ListEntry, DCE, List);
        ListEntry = ListEntry->Flink;
-       if (pDCE->hDC == hDC)
+       if (pDCE == pdceClass)
        {
           DceFreeDCE(pDCE, TRUE); // Might have gone cheap!
        }



    