From cfeb498e4f2ed0eaef6d29cd4332c60120347b10 Mon Sep 17 00:00:00 2001
From: Katayama Hirofumi MZ <katayama.hirofumi.mz@gmail.com>
Date: Thu, 3 Mar 2022 09:43:05 +0900
Subject: [PATCH] [NTUSER][IMM32] Fix ValidateHandleNoErr (#4377)

- Add DesktopPtrToUser helper function.
- Fix imm32.ValidateHandleNoErr function.
- Use DesktopHeapAlloc to allocate the IMC, instead of ExAllocatePoolWithTag.
- Use DesktopHeapFree to free the IMC, instead of ExFreePoolWithTag.
CORE-11700, CORE-18049
---
 dll/win32/imm32/utils.c   | 27 ++++++++++++++++++++++++---
 win32ss/user/ntuser/ime.c | 11 ++++++++---
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/dll/win32/imm32/utils.c b/dll/win32/imm32/utils.c
index 8c3d8ad3c11..e96f80528ae 100644
--- a/dll/win32/imm32/utils.c
+++ b/dll/win32/imm32/utils.c
@@ -149,12 +149,26 @@ VOID APIENTRY LogFontWideToAnsi(const LOGFONTW *plfW, LPLOGFONTA plfA)
     plfA->lfFaceName[cch] = 0;
 }
 
+static PVOID FASTCALL DesktopPtrToUser(PVOID ptr)
+{
+    PCLIENTINFO pci = GetWin32ClientInfo();
+    PDESKTOPINFO pdi = pci->pDeskInfo;
+
+    ASSERT(ptr != NULL);
+    ASSERT(pdi != NULL);
+    if (pdi->pvDesktopBase <= ptr && ptr < pdi->pvDesktopLimit)
+        return (PVOID)((ULONG_PTR)ptr - pci->ulClientDelta);
+    else
+        return (PVOID)NtUserCallOneParam((DWORD_PTR)ptr, ONEPARAM_ROUTINE_GETDESKTOPMAPPING);
+}
+
 LPVOID FASTCALL ValidateHandleNoErr(HANDLE hObject, UINT uType)
 {
-    INT index;
+    UINT index;
     PUSER_HANDLE_TABLE ht;
     PUSER_HANDLE_ENTRY he;
     WORD generation;
+    LPVOID ptr;
 
     if (!NtUserValidateHandleSecure(hObject))
         return NULL;
@@ -166,14 +180,21 @@ LPVOID FASTCALL ValidateHandleNoErr(HANDLE hObject, UINT uType)
     he = (PUSER_HANDLE_ENTRY)((ULONG_PTR)ht->handles - g_SharedInfo.ulSharedDelta);
 
     index = (LOWORD(hObject) - FIRST_USER_HANDLE) >> 1;
-    if (index < 0 || ht->nb_handles <= index || he[index].type != uType)
+    if ((INT)index < 0 || ht->nb_handles <= index || he[index].type != uType)
+        return NULL;
+
+    if (he[index].flags & HANDLEENTRY_DESTROY)
         return NULL;
 
     generation = HIWORD(hObject);
     if (generation != he[index].generation && generation && generation != 0xFFFF)
         return NULL;
 
-    return &he[index];
+    ptr = he[index].ptr;
+    if (ptr)
+        ptr = DesktopPtrToUser(ptr);
+
+    return ptr;
 }
 
 PWND FASTCALL ValidateHwndNoErr(HWND hwnd)
diff --git a/win32ss/user/ntuser/ime.c b/win32ss/user/ntuser/ime.c
index f29f4e4cfa4..124e5667c88 100644
--- a/win32ss/user/ntuser/ime.c
+++ b/win32ss/user/ntuser/ime.c
@@ -1200,7 +1200,10 @@ AllocInputContextObject(PDESKTOP pDesk,
     ASSERT(Size > sizeof(*ObjHead));
     ASSERT(pti != NULL);
 
-    ObjHead = ExAllocatePoolWithTag(PagedPool, Size, USERTAG_IME);
+    if (!pDesk)
+        pDesk = pti->rpdesk;
+
+    ObjHead = DesktopHeapAlloc(pDesk, Size);
     if (!ObjHead)
         return NULL;
 
@@ -1218,6 +1221,8 @@ AllocInputContextObject(PDESKTOP pDesk,
 
 VOID UserFreeInputContext(PVOID Object)
 {
+    PTHRDESKHEAD ObjHead = Object;
+    PDESKTOP pDesk = ObjHead->rpdesk;
     PIMC pIMC = Object, *ppIMC;
     PTHREADINFO pti;
 
@@ -1235,7 +1240,7 @@ VOID UserFreeInputContext(PVOID Object)
         }
     }
 
-    ExFreePoolWithTag(pIMC, USERTAG_IME);
+    DesktopHeapFree(pDesk, Object);
 
     pti->ppi->UserHandleCount--;
     IntDereferenceThreadInfo(pti);
@@ -1250,7 +1255,7 @@ BOOLEAN UserDestroyInputContext(PVOID Object)
 
     UserMarkObjectDestroy(pIMC);
 
-    return UserDeleteObject(pIMC->head.h, TYPE_INPUTCONTEXT);
+    return UserDeleteObject(UserHMGetHandle(pIMC), TYPE_INPUTCONTEXT);
 }
 
 BOOL NTAPI NtUserDestroyInputContext(HIMC hIMC)