[jimtabor] 72080: [NtUser] - Fix crash while mouse cursor is moving over stress test window (RegEdit). This fixes VLC too. Tested SeaMonkey and it did not crash. See CORE-9169 and CORE-9836. - Ros-diffs

2 Aug 2016

Author: jimtabor
Date: Tue Aug  2 04:05:16 2016
New Revision: 72080
URL: http://svn.reactos.org/svn/reactos?rev=72080&view=rev
Log:
[NtUser]
- Fix crash while mouse cursor is moving over stress test window (RegEdit). This fixes VLC too. Tested SeaMonkey and it did not crash. See CORE-9169 and CORE-9836.
Modified:
    trunk/reactos/win32ss/user/ntuser/cursoricon.c
    trunk/reactos/win32ss/user/ntuser/cursoricon.h
    trunk/reactos/win32ss/user/ntuser/defwnd.c
    trunk/reactos/win32ss/user/ntuser/msgqueue.c
Modified: trunk/reactos/win32ss/user/ntuser/cursoricon.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/cursori...
==============================================================================

--- trunk/reactos/win32ss/user/ntuser/cursoricon.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/cursoricon.c	[iso-8859-1] Tue Aug  2 04:05:16 2016
@@ -224,6 +224,15 @@
ASSERT(CurIcon->head.cLockObj >= 1);
     return CurIcon;
+}
+
+PCURICON_OBJECT
+IntSystemSetCursor(PCURICON_OBJECT pcurNew)
+{
+    PCURICON_OBJECT pcurOld = UserSetCursor(pcurNew, FALSE);
+    UserReferenceObject(pcurNew);
+    if (pcurOld) UserDereferenceObject(pcurOld);
+    return pcurOld;
 }
BOOL UserSetCursorPos( INT x, INT y, DWORD flags, ULONG_PTR dwExtraInfo, BOOL Hook)
@@ -1062,9 +1071,12 @@
     }
pcurOld = UserSetCursor(pcurNew, FALSE);
-    if (pcurOld)
-    {
-        hOldCursor = pcurOld->head.h;
+
+    // If returning an old cursor than validate it, Justin Case!
+    if ( pcurOld &&
+        (pcurOld = UserGetObjectNoErr(gHandleTable, UserHMGetHandle(pcurOld), TYPE_CURSOR)))
+    {
+        hOldCursor = UserHMGetHandle(pcurOld);
     /*
         Problem:
@@ -1078,12 +1090,12 @@
         {
            TRACE("Returning Global Cursor hcur %p\n",hOldCursor);
-           if (pcurOld->head.cLockObj > 2) // Throttle down to 2.
+           /*if (pcurOld->head.cLockObj > 2) // Throttle down to 2.
            {
               UserDereferenceObject(pcurOld);
            }
-           goto leave;
+           goto leave;*/
         }
/* See if it was destroyed in the meantime */
Modified: trunk/reactos/win32ss/user/ntuser/cursoricon.h
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/cursori...
==============================================================================
--- trunk/reactos/win32ss/user/ntuser/cursoricon.h	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/cursoricon.h	[iso-8859-1] Tue Aug  2 04:05:16 2016
@@ -140,8 +140,6 @@
 BOOL UserSetCursorPos( INT x, INT y, DWORD flags, ULONG_PTR dwExtraInfo, BOOL Hook);
 BOOL APIENTRY UserClipCursor(RECTL *prcl);
 PSYSTEM_CURSORINFO IntGetSysCursorInfo(VOID);
-
-#define IntReleaseCurIconObject(CurIconObj) \
-  UserDereferenceObject(CurIconObj)
+PCURICON_OBJECT IntSystemSetCursor(PCURICON_OBJECT);
/* EOF */
Modified: trunk/reactos/win32ss/user/ntuser/defwnd.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/defwnd....
==============================================================================
--- trunk/reactos/win32ss/user/ntuser/defwnd.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/defwnd.c	[iso-8859-1] Tue Aug  2 04:05:16 2016
@@ -307,7 +307,7 @@
       {
          if (pWnd->pcls->spcur)
          {
-            UserSetCursor(pWnd->pcls->spcur, FALSE);
+            IntSystemSetCursor(pWnd->pcls->spcur);
     }
     return FALSE;
       }
@@ -319,7 +319,7 @@
          {
             break;
          }
-         UserSetCursor(SYSTEMCUR(SIZEWE), FALSE);
+         IntSystemSetCursor(SYSTEMCUR(SIZEWE));
          return TRUE;
       }
@@ -330,7 +330,7 @@
          {
             break;
          }
-         UserSetCursor(SYSTEMCUR(SIZENS), FALSE);
+         IntSystemSetCursor(SYSTEMCUR(SIZENS));
          return TRUE;
        }
@@ -341,7 +341,7 @@
          {
             break;
          }
-         UserSetCursor(SYSTEMCUR(SIZENWSE), FALSE);
+         IntSystemSetCursor(SYSTEMCUR(SIZENWSE));
          return TRUE;
        }
@@ -352,11 +352,11 @@
          {
             break;
          }
-         UserSetCursor(SYSTEMCUR(SIZENESW), FALSE);
+         IntSystemSetCursor(SYSTEMCUR(SIZENESW));
          return TRUE;
        }
    }
-   UserSetCursor(SYSTEMCUR(ARROW), FALSE);
+   IntSystemSetCursor(SYSTEMCUR(ARROW));
    return FALSE;
 }
Modified: trunk/reactos/win32ss/user/ntuser/msgqueue.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/msgqueu...
==============================================================================
--- trunk/reactos/win32ss/user/ntuser/msgqueue.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/ntuser/msgqueue.c	[iso-8859-1] Tue Aug  2 04:05:16 2016
@@ -1516,7 +1516,7 @@
     if (pwndMsg == NULL || pwndMsg->head.pti->MessageQueue != MessageQueue)
     {
         // Crossing a boundary, so set cursor. See default message queue cursor.
-        UserSetCursor(SYSTEMCUR(ARROW), FALSE);
+        IntSystemSetCursor(SYSTEMCUR(ARROW));
         /* Remove and ignore the message */
         *RemoveMessages = TRUE;
         return FALSE;

    