[NTUSER] NtUserWaitForInputIdle: Fix unhandled exception BSOD 0x1E (#5391)

Fix CLIENTINFO usermode pointer access once again. Based on a patch by Michael Fritscher from CORE-10017. Addendum to 7052282507 (r68702). CORE-18728 CORE-19014
2024-06-19 11:19:47 +00:00 · 2023-07-03 00:30:30 +07:00 · 2023-07-03 00:30:30 +07:00 · c7e4c3a8e9
parent 8e01dee251
commit c7e4c3a8e9
1 changed files with 3 additions and 2 deletions
--- a/win32ss/user/ntuser/message.c
+++ b/win32ss/user/ntuser/message.c
@ -3110,14 +3110,12 @@ NtUserWaitForInputIdle( IN HANDLE hProcess,
       Timeout.QuadPart = (LONGLONG) dwMilliseconds * (LONGLONG) -10000;

    KeStackAttachProcess(&Process->Pcb, &ApcState);
-
    W32Process->W32PF_flags |= W32PF_WAITFORINPUTIDLE;
    for (pti = W32Process->ptiList; pti; pti = pti->ptiSibling)
    {
       pti->TIF_flags |= TIF_WAITFORINPUTIDLE;
       pti->pClientInfo->dwTIFlags = pti->TIF_flags;
    }
-
    KeUnstackDetachProcess(&ApcState);

    TRACE("WFII: ppi %p\n", W32Process);
@ -3176,12 +3174,15 @@ NtUserWaitForInputIdle( IN HANDLE hProcess,
    while (TRUE);

 WaitExit:
+    KeStackAttachProcess(&Process->Pcb, &ApcState);
    for (pti = W32Process->ptiList; pti; pti = pti->ptiSibling)
    {
       pti->TIF_flags &= ~TIF_WAITFORINPUTIDLE;
       pti->pClientInfo->dwTIFlags = pti->TIF_flags;
    }
    W32Process->W32PF_flags &= ~W32PF_WAITFORINPUTIDLE;
+    KeUnstackDetachProcess(&ApcState);
+
    IntDereferenceProcessInfo(W32Process);
    ObDereferenceObject(Process);
    UserLeave();