From a38b059ca1b556a0082cbe97315a14ddf6991910 Mon Sep 17 00:00:00 2001
From: Giannis Adamopoulos <gadamopoulos@reactos.org>
Date: Mon, 6 Dec 2010 12:07:05 +0000
Subject: [PATCH] [win32k] - In FNID_SENDMESSAGECALLBACK use SEH before
 accesing the user-mode buffer

svn path=/trunk/; revision=49962
---
 .../subsystems/win32/win32k/ntuser/message.c  | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/reactos/subsystems/win32/win32k/ntuser/message.c b/reactos/subsystems/win32/win32k/ntuser/message.c
index fb798ed85ce..ad8be3d5194 100644
--- a/reactos/subsystems/win32/win32k/ntuser/message.c
+++ b/reactos/subsystems/win32/win32k/ntuser/message.c
@@ -2175,14 +2175,23 @@ NtUserMessageCall( HWND hWnd,
         break;
     case FNID_SENDMESSAGECALLBACK:
         {
-            PCALL_BACK_INFO CallBackInfo = (PCALL_BACK_INFO)ResultInfo;
+            CALL_BACK_INFO CallBackInfo;
             ULONG_PTR uResult;
-
-            if (!CallBackInfo)
-                break;
+            
+            _SEH2_TRY
+            {
+                ProbeForRead((PVOID)ResultInfo, sizeof(CALL_BACK_INFO), 1);
+                RtlCopyMemory(&CallBackInfo, (PVOID)ResultInfo, sizeof(CALL_BACK_INFO));
+            }
+            _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+            {
+                Ret = FALSE;
+                _SEH2_YIELD(break);
+            }
+            _SEH2_END;
 
             if (!co_IntSendMessageWithCallBack(hWnd, Msg, wParam, lParam,
-                        CallBackInfo->CallBack, CallBackInfo->Context, &uResult))
+                        CallBackInfo.CallBack, CallBackInfo.Context, &uResult))
             {
                 DPRINT1("Callback failure!\n");
             }