[NTUSER][IMM32] Fix ValidateHandleNoErr (#4377)

- Add DesktopPtrToUser helper function. - Fix imm32.ValidateHandleNoErr function. - Use DesktopHeapAlloc to allocate the IMC, instead of ExAllocatePoolWithTag. - Use DesktopHeapFree to free the IMC, instead of ExFreePoolWithTag. CORE-11700, CORE-18049
2024-06-26 07:51:52 +00:00 · 2022-03-03 09:43:05 +09:00 · 2022-03-03 09:43:05 +09:00 · cfeb498e4f
parent d9f156e9a8
commit cfeb498e4f
2 changed files with 32 additions and 6 deletions
--- a/dll/win32/imm32/utils.c
+++ b/dll/win32/imm32/utils.c
@ -149,12 +149,26 @@ VOID APIENTRY LogFontWideToAnsi(const LOGFONTW *plfW, LPLOGFONTA plfA)
    plfA->lfFaceName[cch] = 0;
 }

+static PVOID FASTCALL DesktopPtrToUser(PVOID ptr)
+{
+    PCLIENTINFO pci = GetWin32ClientInfo();
+    PDESKTOPINFO pdi = pci->pDeskInfo;
+
+    ASSERT(ptr != NULL);
+    ASSERT(pdi != NULL);
+    if (pdi->pvDesktopBase <= ptr && ptr < pdi->pvDesktopLimit)
+        return (PVOID)((ULONG_PTR)ptr - pci->ulClientDelta);
+    else
+        return (PVOID)NtUserCallOneParam((DWORD_PTR)ptr, ONEPARAM_ROUTINE_GETDESKTOPMAPPING);
+}
+
 LPVOID FASTCALL ValidateHandleNoErr(HANDLE hObject, UINT uType)
 {
-    INT index;
+    UINT index;
    PUSER_HANDLE_TABLE ht;
    PUSER_HANDLE_ENTRY he;
    WORD generation;
+    LPVOID ptr;

    if (!NtUserValidateHandleSecure(hObject))
        return NULL;
@ -166,14 +180,21 @@ LPVOID FASTCALL ValidateHandleNoErr(HANDLE hObject, UINT uType)
    he = (PUSER_HANDLE_ENTRY)((ULONG_PTR)ht->handles - g_SharedInfo.ulSharedDelta);

    index = (LOWORD(hObject) - FIRST_USER_HANDLE) >> 1;
-    if (index < 0 || ht->nb_handles <= index || he[index].type != uType)
+    if ((INT)index < 0 || ht->nb_handles <= index || he[index].type != uType)
+        return NULL;
+
+    if (he[index].flags & HANDLEENTRY_DESTROY)
        return NULL;

    generation = HIWORD(hObject);
    if (generation != he[index].generation && generation && generation != 0xFFFF)
        return NULL;

-    return &he[index];
+    ptr = he[index].ptr;
+    if (ptr)
+        ptr = DesktopPtrToUser(ptr);
+
+    return ptr;
 }

 PWND FASTCALL ValidateHwndNoErr(HWND hwnd)
--- a/win32ss/user/ntuser/ime.c
+++ b/win32ss/user/ntuser/ime.c
@ -1200,7 +1200,10 @@ AllocInputContextObject(PDESKTOP pDesk,
    ASSERT(Size > sizeof(*ObjHead));
    ASSERT(pti != NULL);

-    ObjHead = ExAllocatePoolWithTag(PagedPool, Size, USERTAG_IME);
+    if (!pDesk)
+        pDesk = pti->rpdesk;
+
+    ObjHead = DesktopHeapAlloc(pDesk, Size);
    if (!ObjHead)
        return NULL;

@ -1218,6 +1221,8 @@ AllocInputContextObject(PDESKTOP pDesk,

 VOID UserFreeInputContext(PVOID Object)
 {
+    PTHRDESKHEAD ObjHead = Object;
+    PDESKTOP pDesk = ObjHead->rpdesk;
    PIMC pIMC = Object, *ppIMC;
    PTHREADINFO pti;

@ -1235,7 +1240,7 @@ VOID UserFreeInputContext(PVOID Object)
        }
    }

-    ExFreePoolWithTag(pIMC, USERTAG_IME);
+    DesktopHeapFree(pDesk, Object);

    pti->ppi->UserHandleCount--;
    IntDereferenceThreadInfo(pti);
@ -1250,7 +1255,7 @@ BOOLEAN UserDestroyInputContext(PVOID Object)

    UserMarkObjectDestroy(pIMC);

-    return UserDeleteObject(pIMC->head.h, TYPE_INPUTCONTEXT);
+    return UserDeleteObject(UserHMGetHandle(pIMC), TYPE_INPUTCONTEXT);
 }

 BOOL NTAPI NtUserDestroyInputContext(HIMC hIMC)