[NtUser]

- Fix Process Explorer crash in Win32k. See CORE-8779 and CORE-7447.

svn path=/trunk/; revision=65431

reactos/win32ss/user/ntuser/message.c

@@ -213,7 +213,10 @@ MsgMemorySize(PMSGMEMORY MsgMemoryEntry, WPARAM wParam, LPARAM lParam)
                 break;
 
             case WM_COPYDATA:
-                Size = sizeof(COPYDATASTRUCT) + ((PCOPYDATASTRUCT)lParam)->cbData;
+                {
+                COPYDATASTRUCT *cds = (COPYDATASTRUCT *)lParam;
+                Size = sizeof(COPYDATASTRUCT) + cds->cbData;
+                }
                 break;
 
             default:
@@ -472,6 +475,9 @@ CopyMsgToUserMem(MSG *UserModeMsg, MSG *KernelModeMsg)
     NTSTATUS Status;
     PMSGMEMORY MsgMemoryEntry;
     UINT Size;
+    PTHREADINFO pti;
+    
+    pti = PsGetCurrentThreadWin32Thread();
 
     /* See if this message type is present in the table */
     MsgMemoryEntry = FindMsgMemory(UserModeMsg->message);
@@ -486,6 +492,7 @@ CopyMsgToUserMem(MSG *UserModeMsg, MSG *KernelModeMsg)
 
     if (0 != Size)
     {
+        PWND pWnd = ValidateHwndNoErr(KernelModeMsg->hwnd);
         /* Copy data if required */
         if (0 != (MsgMemoryEntry->Flags & MMS_FLAG_WRITE))
         {
@@ -497,7 +504,12 @@ CopyMsgToUserMem(MSG *UserModeMsg, MSG *KernelModeMsg)
                 return Status;
             }
         }
-
+        if (pWnd && KernelModeMsg->message == WM_COPYDATA)
+        {
+           // Only the current process or thread can free the message lParam pointer.
+           if (pWnd->head.pti->MessageQueue != pti->MessageQueue)
+              return STATUS_SUCCESS;
+        }
         ExFreePool((PVOID) KernelModeMsg->lParam);
     }
 
@@ -1415,6 +1427,10 @@ co_IntSendMessageTimeoutSingle( HWND hWnd,
 
 CLEANUP:
     if (Window) UserDerefObjectCo(Window);
+    if ( !ptiSendTo && Msg == WM_COPYDATA )
+    {
+       ExFreePool((PVOID) lParam);
+    }
     END_CLEANUP;
 }