From e4ce29c7c6ce131626b7fa85cf1b4569da728605 Mon Sep 17 00:00:00 2001
From: Timo Kreuzer <timo.kreuzer@reactos.org>
Date: Sat, 14 Mar 2015 11:22:31 +0000
Subject: [PATCH] [WIN32K] Initialize list entry after removing a message from
 DispatchingMessagesHead. Fixes list corruption. CORE-9357 #resolve

svn path=/trunk/; revision=66685
---
 reactos/win32ss/user/ntuser/message.c  | 1 -
 reactos/win32ss/user/ntuser/msgqueue.c | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/reactos/win32ss/user/ntuser/message.c b/reactos/win32ss/user/ntuser/message.c
index 70de03cf3dc..9cdb76d63c7 100644
--- a/reactos/win32ss/user/ntuser/message.c
+++ b/reactos/win32ss/user/ntuser/message.c
@@ -1699,7 +1699,6 @@ co_IntSendMessageWithCallBack( HWND hWnd,
     Message->ptiSender = NULL; // mjmartin, you are right! This is null.
     Message->ptiCallBackSender = Win32Thread;
     InitializeListHead(&Message->DispatchingListEntry);
-    //Message->DispatchingListEntry.Flink = NULL;
     Message->CompletionCallback = CompletionCallback;
     Message->CompletionCallbackContext = CompletionCallbackContext;
     Message->HookMessage = MSQ_NORMAL;
diff --git a/reactos/win32ss/user/ntuser/msgqueue.c b/reactos/win32ss/user/ntuser/msgqueue.c
index 095a07c9620..f17f62f9c49 100644
--- a/reactos/win32ss/user/ntuser/msgqueue.c
+++ b/reactos/win32ss/user/ntuser/msgqueue.c
@@ -2128,6 +2128,7 @@ MsqCleanupThreadMsgs(PTHREADINFO pti)
    {
       CurrentEntry = RemoveHeadList(&pti->DispatchingMessagesHead);
       CurrentSentMessage = CONTAINING_RECORD(CurrentEntry, USER_SENT_MESSAGE, DispatchingListEntry);
+      InitializeListHead(&CurrentSentMessage->DispatchingListEntry);
       CurrentSentMessage->CompletionEvent = NULL;
       CurrentSentMessage->Result = NULL;