From 08b9354ff34f3657765433736b6635021caa4716 Mon Sep 17 00:00:00 2001
From: Timo Kreuzer <timo.kreuzer@reactos.org>
Date: Tue, 19 Sep 2023 20:26:19 +0300
Subject: [PATCH] [WIN32K/USER] Fix callout object referencing in
 co_IntUpdateWindows

Move UserRefObjectCo, so that it covers co_IntSendMessage as well.
This caused a use-after-free during testing.
---
 win32ss/user/ntuser/painting.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/win32ss/user/ntuser/painting.c b/win32ss/user/ntuser/painting.c
index e813d25185d..6edf47699fc 100644
--- a/win32ss/user/ntuser/painting.c
+++ b/win32ss/user/ntuser/painting.c
@@ -519,6 +519,7 @@ VOID FASTCALL
 co_IntUpdateWindows(PWND Wnd, ULONG Flags, BOOL Recurse)
 {
    HWND hWnd = UserHMGetHandle(Wnd);
+   USER_REFERENCE_ENTRY Ref;
 
    if ( Wnd->hrgnUpdate != NULL || Wnd->state & WNDS_INTERNALPAINT )
    {
@@ -542,15 +543,15 @@ co_IntUpdateWindows(PWND Wnd, ULONG Flags, BOOL Recurse)
       Wnd->state &= ~WNDS_UPDATEDIRTY;
 
       Wnd->state2 |= WNDS2_WMPAINTSENT;
+
+      UserRefObjectCo(Wnd, &Ref);
       co_IntSendMessage(hWnd, WM_PAINT, 0, 0);
 
       if (Wnd->state & WNDS_PAINTNOTPROCESSED)
       {
-         USER_REFERENCE_ENTRY Ref;
-         UserRefObjectCo(Wnd, &Ref);
          co_IntPaintWindows(Wnd, RDW_NOCHILDREN, FALSE);
-         UserDerefObjectCo(Wnd);
       }
+      UserDerefObjectCo(Wnd);
    }
 
    // Force flags as a toggle. Fixes msg:test_paint_messages:WmChildPaintNc.