From 9022021b6d249d70bdddb62781827b05a5b77c09 Mon Sep 17 00:00:00 2001
From: James Tabor <james.tabor@reactos.org>
Date: Fri, 6 Nov 2015 09:37:30 +0000
Subject: [PATCH] [Win32k] - Fix use after free crash in send messages timeout
 tests. See CORE-10482 - Dedicated to Thomas Faber.

svn path=/trunk/; revision=69818
---
 reactos/win32ss/user/ntuser/msgqueue.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/reactos/win32ss/user/ntuser/msgqueue.c b/reactos/win32ss/user/ntuser/msgqueue.c
index 9a41964dc90..4db88d9d802 100644
--- a/reactos/win32ss/user/ntuser/msgqueue.c
+++ b/reactos/win32ss/user/ntuser/msgqueue.c
@@ -778,7 +778,7 @@ AllocateUserMessage(BOOL KEvent)
       KeInitializeEvent(Message->pkCompletionEvent, NotificationEvent, FALSE);
    }
    SendMsgCount++;
-   //ERR("AUM pti %p msg %p\n",PsGetCurrentThreadWin32Thread(),Message);
+   TRACE("AUM pti %p msg %p\n",PsGetCurrentThreadWin32Thread(),Message);
    return Message;
 }
 
@@ -2226,6 +2226,12 @@ MsqCleanupThreadMsgs(PTHREADINFO pti)
          else if ( pti == CurrentSentMessage->ptiSender ||
                    pti == CurrentSentMessage->ptiCallBackSender )
          {
+            // Determine whether this message is being processed or not.
+            if ((CurrentSentMessage->flags & (SMF_RECEIVERBUSY|SMF_RECEIVEDMESSAGE)) != SMF_RECEIVEDMESSAGE)
+            {
+               CurrentSentMessage->flags |= SMF_RECEIVERFREE;
+            }
+            
             if (!(CurrentSentMessage->flags & SMF_RECEIVERFREE))
             {