https://git.reactos.org/?p=reactos.git;a=commitdiff;h=06e01c8968fe7ca25d044…
commit 06e01c8968fe7ca25d0449b0021d7ed055f6082c
Author: James Tabor <james.tabor(a)reactos.org>
AuthorDate: Thu Jun 18 11:06:31 2020 -0500
Commit: James Tabor <james.tabor(a)reactos.org>
CommitDate: Thu Jun 18 11:06:31 2020 -0500
[NtUser] Fix Crash in Win32k
Use strict thread and desktop verifying. See CORE-15092 and CORE-17133.
---
win32ss/user/ntuser/misc.c | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/win32ss/user/ntuser/misc.c b/win32ss/user/ntuser/misc.c
index 72706fa7f84..196ea416e79 100644
--- a/win32ss/user/ntuser/misc.c
+++ b/win32ss/user/ntuser/misc.c
@@ -377,8 +377,7 @@ NtUserGetGUIThreadInfo(
GUITHREADINFO SafeGui;
PDESKTOP Desktop;
PUSER_MESSAGE_QUEUE MsgQueue;
- PTHREADINFO W32Thread;
- PETHREAD Thread = NULL;
+ PTHREADINFO W32Thread, pti;
DECLARE_RETURN(BOOLEAN);
@@ -400,23 +399,26 @@ NtUserGetGUIThreadInfo(
if (idThread)
{
- Status = PsLookupThreadByThreadId((HANDLE)(DWORD_PTR)idThread, &Thread);
- if(!NT_SUCCESS(Status))
+ pti = PsGetCurrentThreadWin32Thread();
+
+ // Validate Tread ID
+ W32Thread = IntTID2PTI((HANDLE)idThread);
+
+ if ( !W32Thread )
{
- EngSetLastError(ERROR_ACCESS_DENIED);
- RETURN( FALSE);
+ EngSetLastError(ERROR_ACCESS_DENIED);
+ RETURN( FALSE);
}
- W32Thread = (PTHREADINFO)Thread->Tcb.Win32Thread;
+
Desktop = W32Thread->rpdesk;
- if (!Thread || !Desktop )
+ // Check Desktop and it must be the same as current.
+ if ( !Desktop || Desktop != pti->rpdesk )
{
- if(Thread)
- ObDereferenceObject(Thread);
- EngSetLastError(ERROR_ACCESS_DENIED);
- RETURN( FALSE);
+ EngSetLastError(ERROR_ACCESS_DENIED);
+ RETURN( FALSE);
}
-
+
if ( W32Thread->MessageQueue )
MsgQueue = W32Thread->MessageQueue;
else
@@ -480,9 +482,6 @@ NtUserGetGUIThreadInfo(
SafeGui.rcCaret.right = SafeGui.rcCaret.left + CaretInfo->Size.cx;
SafeGui.rcCaret.bottom = SafeGui.rcCaret.top + CaretInfo->Size.cy;
- if (idThread)
- ObDereferenceObject(Thread);
-
Status = MmCopyToCaller(lpgui, &SafeGui, sizeof(GUITHREADINFO));
if(!NT_SUCCESS(Status))
{