[NtUser] Fix Crash in Win32k

Use strict thread and desktop verifying. See CORE-15092 and CORE-17133.
2025-06-20 07:36:05 +00:00 · 2020-06-18 11:06:31 -05:00 · 2020-06-18 11:06:31 -05:00 · 06e01c8968
commit 06e01c8968
parent 5f076e5558
1 changed files with 15 additions and 16 deletions
--- a/win32ss/user/ntuser/misc.c
+++ b/win32ss/user/ntuser/misc.c
@ -377,8 +377,7 @@ NtUserGetGUIThreadInfo(
   GUITHREADINFO SafeGui;
   PDESKTOP Desktop;
   PUSER_MESSAGE_QUEUE MsgQueue;
-   PTHREADINFO W32Thread;
+   PTHREADINFO W32Thread, pti;
   PETHREAD Thread = NULL;
   DECLARE_RETURN(BOOLEAN);
@ -400,19 +399,22 @@ NtUserGetGUIThreadInfo(
   if (idThread)
   {
-      Status = PsLookupThreadByThreadId((HANDLE)(DWORD_PTR)idThread, &Thread);
+      pti = PsGetCurrentThreadWin32Thread();
-      if(!NT_SUCCESS(Status))
+
      // Validate Tread ID
      W32Thread = IntTID2PTI((HANDLE)idThread);
      if ( !W32Thread )
      {
          EngSetLastError(ERROR_ACCESS_DENIED);
          RETURN( FALSE);
      }
-      W32Thread = (PTHREADINFO)Thread->Tcb.Win32Thread;
+
      Desktop = W32Thread->rpdesk;
-      if (!Thread || !Desktop )
+      // Check Desktop and it must be the same as current.
      if ( !Desktop || Desktop != pti->rpdesk )
      {
        if(Thread)
           ObDereferenceObject(Thread);
          EngSetLastError(ERROR_ACCESS_DENIED);
          RETURN( FALSE);
      }
@ -480,9 +482,6 @@ NtUserGetGUIThreadInfo(
   SafeGui.rcCaret.right = SafeGui.rcCaret.left + CaretInfo->Size.cx;
   SafeGui.rcCaret.bottom = SafeGui.rcCaret.top + CaretInfo->Size.cy;
   if (idThread)
      ObDereferenceObject(Thread);
   Status = MmCopyToCaller(lpgui, &SafeGui, sizeof(GUITHREADINFO));
   if(!NT_SUCCESS(Status))
   {