[tkreuzer] 48437: [WIN32K] Protect access to the result pointer from KeUserModeCallback with SEH. Fixes a possible kernel mode crash. - Ros-diffs

3 Aug 2010

Author: tkreuzer
Date: Tue Aug  3 21:36:39 2010
New Revision: 48437
URL: http://svn.reactos.org/svn/reactos?rev=48437&view=rev
Log:
[WIN32K]
Protect access to the result pointer from KeUserModeCallback with SEH. Fixes a possible kernel mode crash.
Modified:
    trunk/reactos/subsystems/win32/win32k/ntuser/callback.c
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/callback.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntu...
==============================================================================

--- trunk/reactos/subsystems/win32/win32k/ntuser/callback.c [iso-8859-1] (original)
+++ trunk/reactos/subsystems/win32/win32k/ntuser/callback.c [iso-8859-1] Tue Aug  3 21:36:39 2010
@@ -267,7 +267,16 @@
    if (NT_SUCCESS(Status))
    {
       /* Simulate old behaviour: copy into our local buffer */
-      Result = *(LRESULT*)ResultPointer;
+      _SEH2_TRY
+      {
+        ProbeForRead(ResultPointer, sizeof(LRESULT), 1);
+        Result = *(LRESULT*)ResultPointer;
+      }
+      _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+      {
+        Result = 0;
+      }
+      _SEH2_END
    }
UserEnterCo();

    