Author: tfaber Date: Mon May 25 15:28:06 2015 New Revision: 67907 URL: http://svn.reactos.org/svn/reactos?rev=67907&view=rev Log: [WIN32K:NTUSER] - Use UserRefObjectCo in IntNotifyWinEvent to avoid a reference leak in case the call-out does not return - Sanitize list walk Modified: trunk/reactos/win32ss/user/ntuser/event.c Modified: trunk/reactos/win32ss/user/ntuser/event.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/event.… ============================================================================== --- trunk/reactos/win32ss/user/ntuser/event.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/user/ntuser/event.c [iso-8859-1] Mon May 25 15:28:06 2015 @@ -184,8 +184,9 @@ DWORD flags) { PEVENTHOOK pEH; - PLIST_ENTRY pLE; + PLIST_ENTRY ListEntry; PTHREADINFO pti, ptiCurrent; + USER_REFERENCE_ENTRY Ref; TRACE("IntNotifyWinEvent GlobalEvents = %p pWnd %p\n", GlobalEvents, pWnd); @@ -200,12 +201,13 @@ else pti = ptiCurrent; - pLE = GlobalEvents->Events.Flink; - pEH = CONTAINING_RECORD(pLE, EVENTHOOK, Chain); - do - { - if (!pEH) break; - UserReferenceObject(pEH); + ListEntry = GlobalEvents->Events.Flink; + ASSERT(ListEntry != &GlobalEvents->Events); + while (ListEntry != &GlobalEvents->Events) + { + pEH = CONTAINING_RECORD(ListEntry, EVENTHOOK, Chain); + ListEntry = ListEntry->Flink; + // Must be inside the event window. if ( Event >= pEH->eventMin && Event <= pEH->eventMax ) { @@ -217,6 +219,7 @@ (pEH->Flags & WINEVENT_SKIPOWNTHREAD && pEH->head.pti == pti) || pEH->head.pti->rpdesk != ptiCurrent->rpdesk ) ) // Same as hooks. { + UserRefObjectCo(pEH, &Ref); if (pEH->Flags & WINEVENT_INCONTEXT) { TRACE("In Event 0x%x, idObject %d hwnd %p\n", Event, idObject, pWnd ? UserHMGetHandle(pWnd) : NULL); @@ -241,12 +244,10 @@ idChild, PtrToUint(NtCurrentTeb()->ClientId.UniqueThread)); } + UserDerefObjectCo(pEH); } } - UserDereferenceObject(pEH); - pLE = pEH->Chain.Flink; - pEH = CONTAINING_RECORD(pLE, EVENTHOOK, Chain); - } while (pLE != &GlobalEvents->Events); + } } VOID