From 3d81dc48a7dbe99078d0cbd0a0ca48dcb452fe7e Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Sun, 29 Dec 2019 16:14:58 +0100
Subject: [PATCH] [WIN32K:NTUSER] Correctly capture UNICODE_STRING in
 NtUserEnumDisplaySettings.

---
 win32ss/user/ntuser/display.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/win32ss/user/ntuser/display.c b/win32ss/user/ntuser/display.c
index a23d19590d3..5295573437e 100644
--- a/win32ss/user/ntuser/display.c
+++ b/win32ss/user/ntuser/display.c
@@ -596,6 +596,7 @@ NtUserEnumDisplaySettings(
     OUT LPDEVMODEW lpDevMode,
     IN DWORD dwFlags)
 {
+    UNICODE_STRING ustrDeviceUser;
     UNICODE_STRING ustrDevice;
     WCHAR awcDevice[CCHDEVICENAME];
     NTSTATUS Status;
@@ -633,15 +634,17 @@ NtUserEnumDisplaySettings(
         _SEH2_TRY
         {
             /* Probe the UNICODE_STRING and the buffer */
-            ProbeForReadUnicodeString(pustrDevice);
+            ustrDeviceUser = ProbeForReadUnicodeString(pustrDevice);
 
-            if (!pustrDevice->Length || !pustrDevice->Buffer)
+            if (!ustrDeviceUser.Length || !ustrDeviceUser.Buffer)
                 ExRaiseStatus(STATUS_NO_MEMORY);
 
-            ProbeForRead(pustrDevice->Buffer, pustrDevice->Length, sizeof(UCHAR));
+            ProbeForRead(ustrDeviceUser.Buffer,
+                         ustrDeviceUser.Length,
+                         sizeof(UCHAR));
 
             /* Copy the string */
-            RtlCopyUnicodeString(&ustrDevice, pustrDevice);
+            RtlCopyUnicodeString(&ustrDevice, &ustrDeviceUser);
         }
         _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
         {