- NtUserMessageCall: Fix probe-and-capture for the FNID_BROADCASTSYSTEMMESSAGE case -- win32k must copy user mode buffers to safe memory before reading from them (or wrap the operations in SEH). Copy the buffer to the stack as it is small.

svn path=/trunk/; revision=41816
2025-07-23 20:44:00 +00:00 · 2009-07-08 20:41:58 +00:00 · 2009-07-08 20:41:58 +00:00 · c589c03a22
commit c589c03a22
parent 488bf13922
1 changed files with 10 additions and 10 deletions
--- a/reactos/subsystems/win32/win32k/ntuser/message.c
+++ b/reactos/subsystems/win32/win32k/ntuser/message.c
@ -2051,7 +2051,7 @@ NtUserMessageCall(
      break;
      case FNID_BROADCASTSYSTEMMESSAGE:
      {
-         PBROADCASTPARM parm;
+         BROADCASTPARM parm;
         DWORD_PTR RetVal = 0;

         if (ResultInfo)
@ -2061,7 +2061,7 @@ NtUserMessageCall(
               ProbeForWrite((PVOID)ResultInfo,
                         sizeof(BROADCASTPARM),
                                             1);
-               parm = (PBROADCASTPARM)ResultInfo;
+               RtlCopyMemory(&parm, (PVOID)ResultInfo, sizeof(BROADCASTPARM));
            }
            _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
            {
@ -2073,15 +2073,15 @@ NtUserMessageCall(
         else
           break;

-         if ( parm->recipients & BSM_ALLDESKTOPS ||
-              parm->recipients == BSM_ALLCOMPONENTS )
+         if ( parm.recipients & BSM_ALLDESKTOPS ||
+              parm.recipients == BSM_ALLCOMPONENTS )
         {
         }
-         else if (parm->recipients & BSM_APPLICATIONS)
+         else if (parm.recipients & BSM_APPLICATIONS)
         {
-            if (parm->flags & BSF_QUERY)
+            if (parm.flags & BSF_QUERY)
            {
-               if (parm->flags & BSF_FORCEIFHUNG || parm->flags & BSF_NOHANG)
+               if (parm.flags & BSF_FORCEIFHUNG || parm.flags & BSF_NOHANG)
               {
                  co_IntSendMessageTimeout( HWND_BROADCAST,
                                            Msg,
@ -2091,7 +2091,7 @@ NtUserMessageCall(
                                            2000,
                                            &RetVal);
               }
-               else if (parm->flags & BSF_NOTIMEOUTIFNOTHUNG)
+               else if (parm.flags & BSF_NOTIMEOUTIFNOTHUNG)
               {
                  co_IntSendMessageTimeout( HWND_BROADCAST,
                                            Msg,
@ -2112,11 +2112,11 @@ NtUserMessageCall(
                                            &RetVal);
               }
            }
-            else if (parm->flags & BSF_POSTMESSAGE)
+            else if (parm.flags & BSF_POSTMESSAGE)
            {
               Ret = UserPostMessage(HWND_BROADCAST, Msg, wParam, lParam);
            }
-            else if ( parm->flags & BSF_SENDNOTIFYMESSAGE)
+            else if ( parm.flags & BSF_SENDNOTIFYMESSAGE)
            {
               Ret = UserSendNotifyMessage(HWND_BROADCAST, Msg, wParam, lParam);
            }