From 953771f506244363e8e94aafc776f43690ffe5dc Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Fri, 11 Sep 2015 07:31:06 +0000
Subject: [PATCH] [WIN32K:NTUSER] - Probe parameters in
 NtUserGetLayeredWindowAttributes - Don't call UserGetWindowObject without
 holding the user lock

svn path=/trunk/; revision=69182
---
 reactos/win32ss/user/ntuser/layered.c | 37 +++++++++++++++++----------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/reactos/win32ss/user/ntuser/layered.c b/reactos/win32ss/user/ntuser/layered.c
index 558aff145eb..84180f68a00 100644
--- a/reactos/win32ss/user/ntuser/layered.c
+++ b/reactos/win32ss/user/ntuser/layered.c
@@ -224,15 +224,15 @@ NtUserGetLayeredWindowAttributes(
    BOOL Ret = FALSE;
 
    TRACE("Enter NtUserGetLayeredWindowAttributes\n");
+   UserEnterExclusive();
 
    if (!(pWnd = UserGetWindowObject(hwnd)) ||
        !(pWnd->ExStyle & WS_EX_LAYERED) )
    {
-      return FALSE;
+      ERR("Not a Layered Window!\n");
+      goto Exit;
    }
 
-   UserEnterExclusive();
-
    pLrdProp = UserGetProp(pWnd, AtomLayer);
 
    if (!pLrdProp)
@@ -248,9 +248,21 @@ NtUserGetLayeredWindowAttributes(
 
    _SEH2_TRY
    {
-      if (pcrKey)     *pcrKey = pLrdProp->Key;
-      if (pbAlpha)   *pbAlpha = pLrdProp->Alpha;
-      if (pdwFlags) *pdwFlags = pLrdProp->Flags;
+      if (pcrKey)
+      {
+          ProbeForWrite(pcrKey, sizeof(*pcrKey), 1);
+          *pcrKey = pLrdProp->Key;
+      }
+      if (pbAlpha)
+      {
+          ProbeForWrite(pbAlpha, sizeof(*pbAlpha), 1);
+          *pbAlpha = pLrdProp->Alpha;
+      }
+      if (pdwFlags)
+      {
+          ProbeForWrite(pdwFlags, sizeof(*pdwFlags), 1);
+          *pdwFlags = pLrdProp->Flags;
+      }
    }
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {
@@ -322,10 +334,11 @@ NtUserUpdateLayeredWindow(
    BOOL Ret = FALSE;
 
    TRACE("Enter NtUserUpdateLayeredWindow\n");
+   UserEnterExclusive();
 
    if (!(pWnd = UserGetWindowObject(hwnd)))
    {
-      return FALSE;
+      goto Exit;
    }
 
    _SEH2_TRY
@@ -356,12 +369,10 @@ NtUserUpdateLayeredWindow(
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {
       EngSetLastError( ERROR_INVALID_PARAMETER );
-      _SEH2_YIELD(return FALSE);
+      _SEH2_YIELD(goto Exit);
    }
    _SEH2_END;
 
-   UserEnterExclusive();
-
    if ( GetLayeredStatus(pWnd) ||
         dwFlags & ~(ULW_COLORKEY | ULW_ALPHA | ULW_OPAQUE | ULW_EX_NORESIZE) ||
        !(pWnd->ExStyle & WS_EX_LAYERED) )
@@ -373,14 +384,14 @@ NtUserUpdateLayeredWindow(
 
    info.cbSize   = sizeof(info);
    info.hdcDst   = hdcDst;
-   info.pptDst   = pptDst? &Dst : 0;
+   info.pptDst   = pptDst? &Dst : NULL;
    info.psize    = &Size;
    info.hdcSrc   = hdcSrc;
-   info.pptSrc   = pptSrc ? &Src : 0;
+   info.pptSrc   = pptSrc ? &Src : NULL;
    info.crKey    = crKey;
    info.pblend   = &blend;
    info.dwFlags  = dwFlags;
-   info.prcDirty = prcDirty ? &Dirty : 0;
+   info.prcDirty = prcDirty ? &Dirty : NULL;
    Ret = IntUpdateLayeredWindowI( pWnd, &info );
 Exit:
    TRACE("Leave NtUserUpdateLayeredWindow, ret=%i\n", Ret);