[sginsberg] 41816: - NtUserMessageCall: Fix probe-and-capture for the FNID_BROADCASTSYSTEMMESSAGE case -- win32k must copy user mode buffers to safe memory before reading from them (or wrap the operations in SEH). Copy the buffer to the stack as it is small. - Ros-diffs

8 Jul 2009

Author: sginsberg
Date: Thu Jul  9 00:41:58 2009
New Revision: 41816

URL: http://svn.reactos.org/svn/reactos?rev=41816&view=rev
Log:
- NtUserMessageCall: Fix probe-and-capture for the FNID_BROADCASTSYSTEMMESSAGE case --
win32k must copy user mode buffers to safe memory before reading from them (or wrap the
operations in SEH). Copy the buffer to the stack as it is small.

Modified:
    trunk/reactos/subsystems/win32/win32k/ntuser/message.c

Modified: trunk/reactos/subsystems/win32/win32k/ntuser/message.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/nt…
==============================================================================

--- trunk/reactos/subsystems/win32/win32k/ntuser/message.c [iso-8859-1] (original)
+++ trunk/reactos/subsystems/win32/win32k/ntuser/message.c [iso-8859-1] Thu Jul  9
00:41:58 2009
@@ -2051,7 +2051,7 @@
       break;
       case FNID_BROADCASTSYSTEMMESSAGE:
       {
-         PBROADCASTPARM parm;
+         BROADCASTPARM parm;
          DWORD_PTR RetVal = 0;
 
          if (ResultInfo)
@@ -2061,7 +2061,7 @@
                ProbeForWrite((PVOID)ResultInfo,
                          sizeof(BROADCASTPARM),
                                              1);
-               parm = (PBROADCASTPARM)ResultInfo;
+               RtlCopyMemory(&parm, (PVOID)ResultInfo, sizeof(BROADCASTPARM));
             }
             _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
             {
@@ -2073,15 +2073,15 @@
          else
            break;
 
-         if ( parm->recipients & BSM_ALLDESKTOPS ||
-              parm->recipients == BSM_ALLCOMPONENTS )
-         {
-         }
-         else if (parm->recipients & BSM_APPLICATIONS)
-         {
-            if (parm->flags & BSF_QUERY)
+         if ( parm.recipients & BSM_ALLDESKTOPS ||
+              parm.recipients == BSM_ALLCOMPONENTS )
+         {
+         }
+         else if (parm.recipients & BSM_APPLICATIONS)
+         {
+            if (parm.flags & BSF_QUERY)
             {
-               if (parm->flags & BSF_FORCEIFHUNG || parm->flags &
BSF_NOHANG)
+               if (parm.flags & BSF_FORCEIFHUNG || parm.flags & BSF_NOHANG)
                {
                   co_IntSendMessageTimeout( HWND_BROADCAST,
                                             Msg,
@@ -2091,7 +2091,7 @@
                                             2000,
                                             &RetVal);
                }
-               else if (parm->flags & BSF_NOTIMEOUTIFNOTHUNG)
+               else if (parm.flags & BSF_NOTIMEOUTIFNOTHUNG)
                {
                   co_IntSendMessageTimeout( HWND_BROADCAST,
                                             Msg,
@@ -2112,11 +2112,11 @@
                                             &RetVal);
                }
             }
-            else if (parm->flags & BSF_POSTMESSAGE)
+            else if (parm.flags & BSF_POSTMESSAGE)
             {
                Ret = UserPostMessage(HWND_BROADCAST, Msg, wParam, lParam);
             }
-            else if ( parm->flags & BSF_SENDNOTIFYMESSAGE)
+            else if ( parm.flags & BSF_SENDNOTIFYMESSAGE)
             {
                Ret = UserSendNotifyMessage(HWND_BROADCAST, Msg, wParam, lParam);
             }


    