Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-12-27 09:34:43 +00:00
Code Issues Projects Releases Packages Wiki Activity

[WIN32K/USER] Fix callout object referencing in co_IntUpdateWindows

Browse source 
Move UserRefObjectCo, so that it covers co_IntSendMessage as well.
This caused a use-after-free during testing.
This commit is contained in:
Timo Kreuzer 2023-09-19 20:26:19 +03:00
parent 9eca7c52f6
commit 08b9354ff3
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
win32ss/user/ntuser/painting.c
View file

@ -519,6 +519,7 @@ VOID FASTCALL
co_IntUpdateWindows(PWND Wnd, ULONG Flags, BOOL Recurse) co_IntUpdateWindows(PWND Wnd, ULONG Flags, BOOL Recurse)
{ {
HWND hWnd = UserHMGetHandle(Wnd); HWND hWnd = UserHMGetHandle(Wnd);
USER_REFERENCE_ENTRY Ref;
if ( Wnd->hrgnUpdate != NULL || Wnd->state & WNDS_INTERNALPAINT ) if ( Wnd->hrgnUpdate != NULL || Wnd->state & WNDS_INTERNALPAINT )
{ {
@ -542,15 +543,15 @@ co_IntUpdateWindows(PWND Wnd, ULONG Flags, BOOL Recurse)
Wnd->state &= ~WNDS_UPDATEDIRTY; Wnd->state &= ~WNDS_UPDATEDIRTY;
Wnd->state2 |= WNDS2_WMPAINTSENT; Wnd->state2 |= WNDS2_WMPAINTSENT;
UserRefObjectCo(Wnd, &Ref);
co_IntSendMessage(hWnd, WM_PAINT, 0, 0); co_IntSendMessage(hWnd, WM_PAINT, 0, 0);
if (Wnd->state & WNDS_PAINTNOTPROCESSED) if (Wnd->state & WNDS_PAINTNOTPROCESSED)
{ {
USER_REFERENCE_ENTRY Ref;
UserRefObjectCo(Wnd, &Ref);
co_IntPaintWindows(Wnd, RDW_NOCHILDREN, FALSE); co_IntPaintWindows(Wnd, RDW_NOCHILDREN, FALSE);
UserDerefObjectCo(Wnd);
} }
UserDerefObjectCo(Wnd);
} }
// Force flags as a toggle. Fixes msg:test_paint_messages:WmChildPaintNc. // Force flags as a toggle. Fixes msg:test_paint_messages:WmChildPaintNc.