Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-26 07:51:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

[NtUser] Fix Crash in Win32k

Browse source 
Use strict thread and desktop verifying. See CORE-15092 and CORE-17133.
This commit is contained in:
James Tabor 2020-06-18 11:06:31 -05:00
parent 5f076e5558
commit 06e01c8968
1 changed files with 15 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
win32ss/user/ntuser/misc.c
View file

@ -377,8 +377,7 @@ NtUserGetGUIThreadInfo(
GUITHREADINFO SafeGui;
PDESKTOP Desktop;
PUSER_MESSAGE_QUEUE MsgQueue;
PTHREADINFO W32Thread;
PETHREAD Thread = NULL;
PTHREADINFO W32Thread, pti;
DECLARE_RETURN(BOOLEAN);
@ -400,23 +399,26 @@ NtUserGetGUIThreadInfo(
if (idThread)
{
Status = PsLookupThreadByThreadId((HANDLE)(DWORD_PTR)idThread, &Thread);
if(!NT_SUCCESS(Status))
pti = PsGetCurrentThreadWin32Thread();
// Validate Tread ID
W32Thread = IntTID2PTI((HANDLE)idThread);
if ( !W32Thread )
{
EngSetLastError(ERROR_ACCESS_DENIED);
RETURN( FALSE);
EngSetLastError(ERROR_ACCESS_DENIED);
RETURN( FALSE);
}
W32Thread = (PTHREADINFO)Thread->Tcb.Win32Thread;
Desktop = W32Thread->rpdesk;
if (!Thread || !Desktop )
// Check Desktop and it must be the same as current.
if ( !Desktop || Desktop != pti->rpdesk )
{
if(Thread)
ObDereferenceObject(Thread);
EngSetLastError(ERROR_ACCESS_DENIED);
RETURN( FALSE);
EngSetLastError(ERROR_ACCESS_DENIED);
RETURN( FALSE);
}
if ( W32Thread->MessageQueue )
MsgQueue = W32Thread->MessageQueue;
else
@ -480,9 +482,6 @@ NtUserGetGUIThreadInfo(
SafeGui.rcCaret.right = SafeGui.rcCaret.left + CaretInfo->Size.cx;
SafeGui.rcCaret.bottom = SafeGui.rcCaret.top + CaretInfo->Size.cy;
if (idThread)
ObDereferenceObject(Thread);
Status = MmCopyToCaller(lpgui, &SafeGui, sizeof(GUITHREADINFO));
if(!NT_SUCCESS(Status))
{