Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-07-01 02:10:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

[WIN32K:USER] Fix potential use after free when painting child windows

Browse source
This commit is contained in:
Jérôme Gardou 2021-07-30 15:44:57 +02:00 committed by Jérôme Gardou
parent d958dc9bc2
commit b783b16cef
1 changed files with 18 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
win32ss/user/ntuser/painting.c
View file

@ -369,14 +369,26 @@ IntSendNCPaint(PWND pWnd, HRGN hRgn)
VOID FASTCALL VOID FASTCALL
IntSendChildNCPaint(PWND pWnd) IntSendChildNCPaint(PWND pWnd)
{ {
for (pWnd = pWnd->spwndChild; pWnd; pWnd = pWnd->spwndNext) pWnd = pWnd->spwndChild;
while (pWnd)
{ {
if ((pWnd->hrgnUpdate == NULL) && (pWnd->state & WNDS_SENDNCPAINT)) if ((pWnd->hrgnUpdate == NULL) && (pWnd->state & WNDS_SENDNCPAINT))
{ {
PWND Next;
USER_REFERENCE_ENTRY Ref; USER_REFERENCE_ENTRY Ref;
/* Reference, IntSendNCPaint leaves win32k */
UserRefObjectCo(pWnd, &Ref); UserRefObjectCo(pWnd, &Ref);
IntSendNCPaint(pWnd, HRGN_WINDOW); IntSendNCPaint(pWnd, HRGN_WINDOW);
/* Make sure to grab next one before dereferencing/freeing */
Next = pWnd->spwndNext;
UserDerefObjectCo(pWnd); UserDerefObjectCo(pWnd);
pWnd = Next;
}
else
{
pWnd = pWnd->spwndNext;
} }
} }
} }