From 2e3ac87b3d392e336a9b0460b55f1efe4d4fb113 Mon Sep 17 00:00:00 2001
From: James Tabor <james.tabor@reactos.org>
Date: Mon, 7 May 2012 06:00:08 +0000
Subject: [PATCH] [Win32k] - Fix crash when pcti is null. See bug 6759.

svn path=/trunk/; revision=56531
---
 reactos/win32ss/user/ntuser/desktop.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/reactos/win32ss/user/ntuser/desktop.c b/reactos/win32ss/user/ntuser/desktop.c
index 7fbb0186e89..9050b712c59 100644
--- a/reactos/win32ss/user/ntuser/desktop.c
+++ b/reactos/win32ss/user/ntuser/desktop.c
@@ -1821,7 +1821,10 @@ IntSetThreadDesktop(IN HDESK hDesktop,
 
     pdeskOld = pti->rpdesk;
     hdeskOld = pti->hdesk;
-    pctiOld = pti->pcti;
+    if (pti->pcti != &pti->cti)
+       pctiOld = pti->pcti;
+    else
+       pctiOld = NULL;
 
     /* do the switch */
     if(pdesk != NULL)
@@ -1850,7 +1853,7 @@ IntSetThreadDesktop(IN HDESK hDesktop,
         pti->rpdesk = NULL;
         pti->hdesk = NULL;
         pti->pDeskInfo = NULL;
-        pti->pcti = NULL;
+        pti->pcti = &pti->cti; // Always point inside so there will be no crash when posting or sending msg's!
         pci->ulClientDelta = 0;
         pci->pDeskInfo = NULL;
         pci->pClientThreadInfo = NULL;
@@ -1860,7 +1863,7 @@ IntSetThreadDesktop(IN HDESK hDesktop,
     if(pdeskOld != NULL)
     {
         RemoveEntryList(&pti->PtiLink);
-        DesktopHeapFree(pdeskOld, pctiOld);
+        if (pctiOld) DesktopHeapFree(pdeskOld, pctiOld);
         IntUnmapDesktopView(pdeskOld);
         ObDereferenceObject(pdeskOld);
         ZwClose(hdeskOld);