[WIN32K]

- Add/improve some annotations
- Improve code in EngpGetPDEV and NtGdiGetRegionData
- Simplify SEH exception handling
- Fix possible NULL pointer dereferences
- Fix wrong variable usage in UnpackParam
- Fix a possible bufer overrun
- Check return value of ExAllocatePool and RtlCreateUnicodeString
- Fix & vs && typo
All detected with VS11 analyse

svn path=/trunk/; revision=57948

reactos/include/psdk/ntgdi.h

@@ -1996,6 +1996,7 @@ NtGdiGetDCDword(
     OUT DWORD *Result
 );
 
+_Success_(return!=FALSE)
 W32KAPI
 BOOL
 APIENTRY
@@ -2046,6 +2047,7 @@ NtGdiSetSizeDevice(
     _In_ INT cxVirtualDevice,
     _In_ INT cyVirtualDevice);
 
+_Success_(return !=FALSE)
 W32KAPI
 BOOL
 APIENTRY
@@ -2508,6 +2510,7 @@ NtGdiOffsetRgn(
     _In_ INT cx,
     _In_ INT cy);
 
+_Success_(return!=ERROR)
 W32KAPI
 INT
 APIENTRY
@@ -2523,6 +2526,7 @@ NtGdiRectInRegion(
     IN OUT LPRECT prcl
 );
 
+_Success_(return!=0)
 W32KAPI
 DWORD
 APIENTRY
@@ -2559,13 +2563,14 @@ NtGdiSetSystemPaletteUse(
     _In_ HDC hdc,
     _In_ UINT ui);
 
+_Success_(return!=0)
 W32KAPI
-DWORD
+ULONG
 APIENTRY
 NtGdiGetRegionData(
     _In_ HRGN hrgn,
-    _In_ DWORD nCount,
+    _In_ ULONG cjBuffer,
-    _Out_opt_ LPRGNDATA lpRgnData);
+    _Out_opt_bytecap_(cjBuffer) LPRGNDATA lpRgnData);
 
 W32KAPI
 BOOL

reactos/win32ss/gdi/eng/pdevobj.c

@@ -472,7 +472,7 @@ leave:
 PPDEVOBJ
 NTAPI
 EngpGetPDEV(
-    _In_ PUNICODE_STRING pustrDeviceName)
+    _In_opt_ PUNICODE_STRING pustrDeviceName)
 {
     UNICODE_STRING ustrCurrent;
     PPDEVOBJ ppdev;
@@ -481,37 +481,39 @@ EngpGetPDEV(
     /* Acquire PDEV lock */
     EngAcquireSemaphore(ghsemPDEV);
 
-    /* If no device name is given, ... */
+    /* Did the caller pass a device name? */
-    if (!pustrDeviceName && gppdevPrimary)
+    if (pustrDeviceName)
     {
-        /* ... use the primary PDEV */
+        /* Loop all present PDEVs */
-        ppdev = gppdevPrimary;
+        for (ppdev = gppdevList; ppdev; ppdev = ppdev->ppdevNext)
-
-        /* Reference the pdev */
-        InterlockedIncrement(&ppdev->cPdevRefs);
-        goto leave;
-    }
-
-    /* Loop all present PDEVs */
-    for (ppdev = gppdevList; ppdev; ppdev = ppdev->ppdevNext)
-    {
-        /* Get a pointer to the GRAPHICS_DEVICE */
-        pGraphicsDevice = ppdev->pGraphicsDevice;
-
-        /* Compare the name */
-        RtlInitUnicodeString(&ustrCurrent, pGraphicsDevice->szWinDeviceName);
-        if (RtlEqualUnicodeString(pustrDeviceName, &ustrCurrent, FALSE))
         {
-            /* Found! Reference the PDEV */
+            /* Get a pointer to the GRAPHICS_DEVICE */
-            InterlockedIncrement(&ppdev->cPdevRefs);
+            pGraphicsDevice = ppdev->pGraphicsDevice;
-            break;
+
+            /* Compare the name */
+            RtlInitUnicodeString(&ustrCurrent, pGraphicsDevice->szWinDeviceName);
+            if (RtlEqualUnicodeString(pustrDeviceName, &ustrCurrent, FALSE))
+            {
+                /* Found! */
+                break;
+            }
         }
     }
+    else
+    {
+        /* Otherwise use the primary PDEV */
+        ppdev = gppdevPrimary;
+    }
 
     /* Did we find one? */
-    if (!ppdev)
+    if (ppdev)
     {
-        /* No, create a new PDEV */
+        /* Yes, reference the PDEV */
+        InterlockedIncrement(&ppdev->cPdevRefs);
+    }
+    else
+    {
+        /* No, create a new PDEV for the given device */
         ppdev = EngpCreatePDEV(pustrDeviceName, NULL);
         if (ppdev)
         {
@@ -528,7 +530,6 @@ EngpGetPDEV(
         }
     }
 
-leave:
     /* Release PDEV lock */
     EngReleaseSemaphore(ghsemPDEV);
 

reactos/win32ss/gdi/eng/pdevobj.h

@@ -161,7 +161,7 @@ extern PPDEVOBJ gppdevPrimary;
 PPDEVOBJ
 NTAPI
 EngpGetPDEV(
-    _In_ PUNICODE_STRING pustrDevice);
+    _In_opt_ PUNICODE_STRING pustrDevice);
 
 VOID
 NTAPI
@@ -188,6 +188,6 @@ PSIZEL
 FASTCALL
 PDEVOBJ_sizl(
     _In_ PPDEVOBJ ppdev,
-    _In_ PSIZEL psizl);
+    _Out_ PSIZEL psizl);
 
 #endif /* !__WIN32K_PDEVOBJ_H */

reactos/win32ss/gdi/eng/xlateobj.c

@@ -11,6 +11,13 @@
 #define NDEBUG
 #include <debug.h>
 
+_Always_(_Post_satisfies_(return==iColor))
+_Function_class_(FN_XLATE)
+ULONG
+FASTCALL
+EXLATEOBJ_iXlateTrivial(
+    _In_ PEXLATEOBJ pexlo,
+    _In_ ULONG iColor);
 
 /** Globals *******************************************************************/
 
@@ -31,6 +38,8 @@ static const BYTE gajXlate6to8[64] =
 
 /** iXlate functions **********************************************************/
 
+_Always_(_Post_satisfies_(return==iColor))
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateTrivial(PEXLATEOBJ pexlo, ULONG iColor)
@@ -38,6 +47,7 @@ EXLATEOBJ_iXlateTrivial(PEXLATEOBJ pexlo, ULONG iColor)
     return iColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateToMono(PEXLATEOBJ pexlo, ULONG iColor)
@@ -45,6 +55,7 @@ EXLATEOBJ_iXlateToMono(PEXLATEOBJ pexlo, ULONG iColor)
     return (iColor == pexlo->xlo.pulXlate[0]);
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateTable(PEXLATEOBJ pexlo, ULONG iColor)
@@ -53,6 +64,7 @@ EXLATEOBJ_iXlateTable(PEXLATEOBJ pexlo, ULONG iColor)
     return pexlo->xlo.pulXlate[iColor];
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateRGBtoBGR(PEXLATEOBJ pxlo, ULONG iColor)
@@ -72,6 +84,7 @@ EXLATEOBJ_iXlateRGBtoBGR(PEXLATEOBJ pxlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateRGBto555(PEXLATEOBJ pxlo, ULONG iColor)
@@ -93,6 +106,7 @@ EXLATEOBJ_iXlateRGBto555(PEXLATEOBJ pxlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateBGRto555(PEXLATEOBJ pxlo, ULONG iColor)
@@ -114,6 +128,7 @@ EXLATEOBJ_iXlateBGRto555(PEXLATEOBJ pxlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateRGBto565(PEXLATEOBJ pxlo, ULONG iColor)
@@ -135,6 +150,7 @@ EXLATEOBJ_iXlateRGBto565(PEXLATEOBJ pxlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateBGRto565(PEXLATEOBJ pxlo, ULONG iColor)
@@ -156,6 +172,7 @@ EXLATEOBJ_iXlateBGRto565(PEXLATEOBJ pxlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateRGBtoPal(PEXLATEOBJ pexlo, ULONG iColor)
@@ -163,6 +180,7 @@ EXLATEOBJ_iXlateRGBtoPal(PEXLATEOBJ pexlo, ULONG iColor)
     return PALETTE_ulGetNearestPaletteIndex(pexlo->ppalDst, iColor);
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlate555toRGB(PEXLATEOBJ pxlo, ULONG iColor)
@@ -183,6 +201,7 @@ EXLATEOBJ_iXlate555toRGB(PEXLATEOBJ pxlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlate555toBGR(PEXLATEOBJ pxlo, ULONG iColor)
@@ -203,6 +222,7 @@ EXLATEOBJ_iXlate555toBGR(PEXLATEOBJ pxlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlate555to565(PEXLATEOBJ pxlo, ULONG iColor)
@@ -223,6 +243,7 @@ EXLATEOBJ_iXlate555to565(PEXLATEOBJ pxlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlate555toPal(PEXLATEOBJ pexlo, ULONG iColor)
@@ -232,6 +253,7 @@ EXLATEOBJ_iXlate555toPal(PEXLATEOBJ pexlo, ULONG iColor)
     return PALETTE_ulGetNearestPaletteIndex(pexlo->ppalDst, iColor);
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlate565to555(PEXLATEOBJ pxlo, ULONG iColor)
@@ -248,6 +270,7 @@ EXLATEOBJ_iXlate565to555(PEXLATEOBJ pxlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlate565toRGB(PEXLATEOBJ pexlo, ULONG iColor)
@@ -268,6 +291,7 @@ EXLATEOBJ_iXlate565toRGB(PEXLATEOBJ pexlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlate565toBGR(PEXLATEOBJ pexlo, ULONG iColor)
@@ -288,6 +312,7 @@ EXLATEOBJ_iXlate565toBGR(PEXLATEOBJ pexlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlate565toPal(EXLATEOBJ *pexlo, ULONG iColor)
@@ -297,6 +322,7 @@ EXLATEOBJ_iXlate565toPal(EXLATEOBJ *pexlo, ULONG iColor)
     return PALETTE_ulGetNearestPaletteIndex(pexlo->ppalDst, iColor);
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateShiftAndMask(PEXLATEOBJ pexlo, ULONG iColor)
@@ -310,6 +336,7 @@ EXLATEOBJ_iXlateShiftAndMask(PEXLATEOBJ pexlo, ULONG iColor)
     return iNewColor;
 }
 
+_Function_class_(FN_XLATE)
 ULONG
 FASTCALL
 EXLATEOBJ_iXlateBitfieldsToPal(PEXLATEOBJ pexlo, ULONG iColor)

reactos/win32ss/gdi/eng/xlateobj.h

@@ -11,7 +11,7 @@ struct _EXLATEOBJ;
 
 _Function_class_(FN_XLATE)
 typedef
-ULONG 
+ULONG
 (FASTCALL *PFN_XLATE)(
     _In_ struct _EXLATEOBJ *pexlo,
     _In_ ULONG iColor);
@@ -84,10 +84,3 @@ NTAPI
 EXLATEOBJ_vCleanup(
     _Inout_ PEXLATEOBJ pexlo);
 
-_Always_(_Post_satisfies_(return==iColor))
-ULONG
-FASTCALL
-EXLATEOBJ_iXlateTrivial(
-    _In_ PEXLATEOBJ pexlo,
-    _In_ ULONG iColor);
-

reactos/win32ss/gdi/ntgdi/cliprgn.c

@@ -555,6 +555,11 @@ NEW_CLIPPING_UpdateGCRegion(PDC pDC)
      pDC->prgnRao = IntSysCreateRectpRgn(0,0,0,0);
   }
 
+  if (!pDC->prgnRao)
+  {
+     return ERROR;
+  }
+
   if (pDC->dclevel.prgnMeta && pDC->dclevel.prgnClip)
   {
      IntGdiCombineRgn( pDC->prgnAPI,
@@ -585,7 +590,6 @@ NEW_CLIPPING_UpdateGCRegion(PDC pDC)
                     pDC->prgnAPI,
                     RGN_AND);
 
-  // FIXME: pDC->prgnRao may be NULL
   RtlCopyMemory(&pDC->erclClip,
                 &pDC->prgnRao->rdh.rcBound,
                 sizeof(RECTL));
@@ -599,8 +603,8 @@ NEW_CLIPPING_UpdateGCRegion(PDC pDC)
   // With pDC->co.pClipRgn->Buffer,
   // pDC->co.pClipRgn = pDC->prgnRao ? pDC->prgnRao : pDC->prgnVis;
 
-  co = IntEngCreateClipRegion( ((PROSRGNDATA)pDC->prgnRao)->rdh.nCount,
+  co = IntEngCreateClipRegion(pDC->prgnRao->rdh.nCount,
-                               ((PROSRGNDATA)pDC->prgnRao)->Buffer,
+                              pDC->prgnRao->Buffer,
                                  &pDC->erclClip);
   if (co)
   {

reactos/win32ss/gdi/ntgdi/coord.c

@@ -430,6 +430,7 @@ NtGdiTransformPoints(
     _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
     {
         /* Do not set last error */
+        ret = 0;
     }
     _SEH2_END;
 
@@ -1232,7 +1233,6 @@ NtGdiGetDCPoint(
     POINTL SafePoint;
     SIZE Size;
     PSIZEL pszlViewportExt;
-    NTSTATUS Status = STATUS_SUCCESS;
 
     if (!Point)
     {
@@ -1293,15 +1293,9 @@ NtGdiGetDCPoint(
         }
         _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
         {
-            Status = _SEH2_GetExceptionCode();
-        }
-        _SEH2_END;
-
-        if (!NT_SUCCESS(Status))
-        {
-            SetLastNtError(Status);
             Ret = FALSE;
         }
+        _SEH2_END;
     }
 
     DC_UnlockDc(pdc);

reactos/win32ss/gdi/ntgdi/dibobj.c

@@ -867,7 +867,7 @@ GreGetDIBitsInternal(
         }
 
         psurfDest = SURFACE_ShareLockSurface(hBmpDest);
-        
+
         RECTL_vSetRect(&rcDest, 0, 0, ScanLines, psurf->SurfObj.sizlBitmap.cx);
 
         srcPoint.x = 0;
@@ -1014,7 +1014,7 @@ NtGdiGetDIBitsInternal(
         _SEH2_TRY
         {
             /* Copy the data back */
-            ProbeForWrite(pbmiUser, cjMaxInfo, 1); 
+            ProbeForWrite(pbmiUser, cjMaxInfo, 1);
             RtlCopyMemory(pbmiUser, pbmi, cjMaxInfo);
         }
         _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
@@ -1646,7 +1646,7 @@ cleanup:
             GreDeleteObject(res);
             res = 0;
         }
-        
+
         if(ppalDIB)
         {
             PALETTE_ShareUnlockPalette(ppalDIB);
@@ -1862,23 +1862,23 @@ DIB_FreeConvertedBitmapInfo(BITMAPINFO* converted, BITMAPINFO* orig, DWORD usage
     BITMAPCOREINFO* pbmci;
     if(converted == orig)
         return;
-    
+
     if(usage == -1)
     {
         /* Caller don't want any conversion */
         ExFreePoolWithTag(converted, TAG_DIB);
         return;
     }
-    
+
     /* Perform inverse conversion */
     pbmci = (BITMAPCOREINFO*)orig;
-    
+
     ASSERT(pbmci->bmciHeader.bcSize == sizeof(BITMAPCOREHEADER));
     pbmci->bmciHeader.bcBitCount = converted->bmiHeader.biBitCount;
     pbmci->bmciHeader.bcWidth = converted->bmiHeader.biWidth;
     pbmci->bmciHeader.bcHeight = converted->bmiHeader.biHeight;
     pbmci->bmciHeader.bcPlanes = converted->bmiHeader.biPlanes;
-    
+
     if(pbmci->bmciHeader.bcBitCount <= 8)
     {
         UINT numColors = converted->bmiHeader.biClrUsed;

reactos/win32ss/gdi/ntgdi/region.c

@@ -3988,51 +3988,59 @@ NtGdiUnionRectWithRgn(
  *
  * If the function fails, the return value is zero."
  */
-DWORD APIENTRY
+_Success_(return!=0)
+ULONG
+APIENTRY
 NtGdiGetRegionData(
-    HRGN hrgn,
+    _In_ HRGN hrgn,
-    DWORD count,
+    _In_ ULONG cjBuffer,
-    LPRGNDATA rgndata
+    _Out_opt_bytecap_(cjBuffer) LPRGNDATA lpRgnData)
-)
 {
-    DWORD size;
+    ULONG cjSize;
-    PROSRGNDATA obj = RGNOBJAPI_Lock(hrgn, NULL);
+    PREGION prgn;
-    NTSTATUS Status = STATUS_SUCCESS;
 
-    if (!obj)
+    /* Lock the region */
-        return 0;
+    prgn = RGNOBJAPI_Lock(hrgn, NULL);
-
+    if (!prgn)
-    size = obj->rdh.nCount * sizeof(RECT);
-    if (count < (size + sizeof(RGNDATAHEADER)) || rgndata == NULL)
     {
-        RGNOBJAPI_Unlock(obj);
+        EngSetLastError(ERROR_INVALID_HANDLE);
-        if (rgndata) /* Buffer is too small, signal it by return 0 */
-            return 0;
-        else         /* User requested buffer size with rgndata NULL */
-            return size + sizeof(RGNDATAHEADER);
-    }
-
-    _SEH2_TRY
-    {
-        ProbeForWrite(rgndata, count, 1);
-        RtlCopyMemory(rgndata, &obj->rdh, sizeof(RGNDATAHEADER));
-        RtlCopyMemory(rgndata->Buffer, obj->Buffer, size);
-    }
-    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
-    {
-        Status = _SEH2_GetExceptionCode();
-    }
-    _SEH2_END;
-
-    if (!NT_SUCCESS(Status))
-    {
-        SetLastNtError(Status);
-        RGNOBJAPI_Unlock(obj);
         return 0;
     }
 
-    RGNOBJAPI_Unlock(obj);
+    /* Calculate the region size */
-    return size + sizeof(RGNDATAHEADER);
+    cjSize = prgn->rdh.nCount * sizeof(RECT) + sizeof(RGNDATAHEADER);
+
+    /* Check if region data is requested */
+    if (lpRgnData)
+    {
+        /* Check if the buffer is large enough */
+        if (cjBuffer >= cjSize)
+        {
+            /* Probe the buffer and copy the data */
+            _SEH2_TRY
+            {
+                ProbeForWrite(lpRgnData, cjSize, sizeof(ULONG));
+                RtlCopyMemory(lpRgnData, &prgn->rdh, sizeof(RGNDATAHEADER));
+                RtlCopyMemory(lpRgnData->Buffer, prgn->Buffer, cjSize);
+            }
+            _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+            {
+                EngSetLastError(ERROR_INVALID_PARAMETER);
+                cjSize = 0;
+            }
+            _SEH2_END;
+        }
+        else
+        {
+            /* Buffer is too small */
+            EngSetLastError(ERROR_INVALID_PARAMETER);
+            cjSize = 0;
+        }
+    }
+
+    /* Unlock the region and return the size */
+    RGNOBJAPI_Unlock(prgn);
+    return cjSize;
 }
 
 /* EOF */

reactos/win32ss/include/ntuser.h

@@ -2024,13 +2024,14 @@ NtUserGetGUIThreadInfo(
   DWORD idThread,
   LPGUITHREADINFO lpgui);
 
+_Success_(return!=FALSE)
 BOOL
 NTAPI
 NtUserGetIconInfo(
    _In_      HANDLE hCurIcon,
    _Out_opt_ PICONINFO IconInfo,
-   _Out_opt_ PUNICODE_STRING lpInstName,
+   _Inout_opt_ PUNICODE_STRING lpInstName,
-   _Out_opt_ PUNICODE_STRING lpResName,
+   _Inout_opt_ PUNICODE_STRING lpResName,
    _Out_opt_ LPDWORD pbpp,
    _In_      BOOL bInternal);
 
@@ -2782,7 +2783,7 @@ typedef struct _tagFINDEXISTINGCURICONPARAM
     LONG cx;
     LONG cy;
 } FINDEXISTINGCURICONPARAM;
-  
+
 HICON
 NTAPI
 NtUserFindExistingCursorIcon(
@@ -2799,7 +2800,7 @@ NtUserSetCursorIconData(
   HMODULE hModule,
   HRSRC hRsrc,
   HRSRC hGroupRsrc);
-  
+
 HICON
 NTAPI
 NtUserFindExistingCursorIcon(

reactos/win32ss/user/ntuser/class.c

@@ -125,7 +125,7 @@ _Must_inspect_result_
 NTSTATUS
 NTAPI
 ProbeAndCaptureUnicodeStringOrAtom(
-    _Out_ PUNICODE_STRING pustrOut,
+    _Out_ _When_(return>=0, _At_(pustrOut->Buffer, _Post_ _Notnull_)) PUNICODE_STRING pustrOut,
     __in_data_source(USER_MODE) _In_ PUNICODE_STRING pustrUnsafe)
 {
     NTSTATUS Status = STATUS_SUCCESS;

reactos/win32ss/user/ntuser/class.h

@@ -63,7 +63,7 @@ _Must_inspect_result_
 NTSTATUS
 NTAPI
 ProbeAndCaptureUnicodeStringOrAtom(
-    _Out_ PUNICODE_STRING pustrOut,
+    _Out_ _When_(return>=0, _At_(pustrOut->Buffer, _Post_ _Notnull_)) PUNICODE_STRING pustrOut,
     __in_data_source(USER_MODE) _In_ PUNICODE_STRING pustrUnsafe);
 
 /* EOF */

reactos/win32ss/user/ntuser/cursoricon.c

@@ -240,7 +240,7 @@ IntDestroyCurIconObject(PCURICON_OBJECT CurIcon, PPROCESSINFO ppi)
     HBITMAP bmpMask, bmpColor;
     BOOLEAN Ret, bListEmpty, bFound = FALSE;
     PCURICON_PROCESS Current = NULL;
-    
+
     /* For handles created without any data (error handling) */
     if(IsListEmpty(&CurIcon->ProcessList))
         goto emptyList;
@@ -256,7 +256,7 @@ IntDestroyCurIconObject(PCURICON_OBJECT CurIcon, PPROCESSINFO ppi)
             break;
         }
     }
-    
+
     if(!bFound)
     {
         /* This object doesn't belong to this process */
@@ -386,6 +386,18 @@ NtUserGetIconInfo(
         ProbeForWrite(IconInfo, sizeof(ICONINFO), 1);
         RtlCopyMemory(IconInfo, &ii, sizeof(ICONINFO));
 
+        /// @todo Implement support for lpInstName
+        if (lpInstName)
+        {
+            RtlInitEmptyUnicodeString(lpInstName, NULL, 0);
+        }
+
+        /// @todo Implement support for lpResName
+        if (lpResName)
+        {
+            RtlInitEmptyUnicodeString(lpResName, NULL, 0);
+        }
+
         if (pbpp)
         {
             ProbeForWrite(pbpp, sizeof(DWORD), 1);
@@ -1049,7 +1061,7 @@ UserDrawIconEx(
     RECTL rcDest, rcSrc;
     CLIPOBJ* pdcClipObj = NULL;
     EXLATEOBJ exlo;
-    
+
     /* Stupid case */
     if((diFlags & DI_NORMAL) == 0)
     {
@@ -1059,12 +1071,12 @@ UserDrawIconEx(
 
     hbmMask = pIcon->IconInfo.hbmMask;
     hbmColor = pIcon->IconInfo.hbmColor;
-    
+
     if (istepIfAniCur)
         ERR("NtUserDrawIconEx: istepIfAniCur is not supported!\n");
-    
+
     /*
-     * Get our objects. 
+     * Get our objects.
      * Shared locks are enough, we are only reading those bitmaps
      */
     psurfMask = SURFACE_ShareLockSurface(hbmMask);
@@ -1073,7 +1085,7 @@ UserDrawIconEx(
         ERR("Unable to lock the mask surface.\n");
         return FALSE;
     }
-    
+
     /* Color bitmap is not mandatory */
     if(hbmColor == NULL)
     {
@@ -1087,7 +1099,7 @@ UserDrawIconEx(
         SURFACE_ShareUnlockSurface(psurfMask);
         return FALSE;
     }
-    
+
     /* Set source rect */
     RECTL_vSetRect(&rcSrc, 0, 0, pIcon->Size.cx, pIcon->Size.cy);
 
@@ -1119,17 +1131,17 @@ UserDrawIconEx(
     if (!cxWidth)
     {
         if(diFlags & DI_DEFAULTSIZE)
-            cxWidth = pIcon->IconInfo.fIcon ? 
+            cxWidth = pIcon->IconInfo.fIcon ?
                 UserGetSystemMetrics(SM_CXICON) : UserGetSystemMetrics(SM_CXCURSOR);
         else
             cxWidth = pIcon->Size.cx;
     }
-    
+
     /* Fix height parameter, if needed */
     if (!cyHeight)
     {
         if(diFlags & DI_DEFAULTSIZE)
-            cyHeight = pIcon->IconInfo.fIcon ? 
+            cyHeight = pIcon->IconInfo.fIcon ?
                 UserGetSystemMetrics(SM_CYICON) : UserGetSystemMetrics(SM_CYCURSOR);
         else
             cyHeight = pIcon->Size.cy;
@@ -1143,9 +1155,9 @@ UserDrawIconEx(
         /* Yes: Allocate and paint the offscreen surface */
         EBRUSHOBJ eboFill;
         PBRUSH pbrush = BRUSH_ShareLockBrush(hbrFlickerFreeDraw);
-        
+
         TRACE("Performing off-screen rendering.\n");
-        
+
         if(!pbrush)
         {
             ERR("Failed to get brush object.\n");
@@ -1171,11 +1183,11 @@ UserDrawIconEx(
             BRUSH_ShareUnlockBrush(pbrush);
             return FALSE;
         }
-        
+
         /* Paint the brush */
         EBRUSHOBJ_vInit(&eboFill, pbrush, psurfOffScreen, 0x00FFFFFF, 0, NULL);
         RECTL_vSetRect(&rcDest, 0, 0, cxWidth, cyHeight);
-        
+
         Ret = IntEngBitBlt(&psurfOffScreen->SurfObj,
             NULL,
             NULL,
@@ -1191,7 +1203,7 @@ UserDrawIconEx(
         /* Clean up everything */
         EBRUSHOBJ_vCleanup(&eboFill);
         BRUSH_ShareUnlockBrush(pbrush);
-            
+
         if(!Ret)
         {
             ERR("Failed to paint the off-screen surface.\n");
@@ -1200,7 +1212,7 @@ UserDrawIconEx(
             GDIOBJ_vDeleteObject(&psurfOffScreen->BaseObject);
             return FALSE;
         }
-        
+
         /* We now have our destination surface */
         psurfDest = psurfOffScreen;
     }
@@ -1208,7 +1220,7 @@ UserDrawIconEx(
     {
         /* We directly draw to the DC */
         TRACE("Performing on screen rendering.\n");
-        
+
         psurfOffScreen = NULL;
         pdc = DC_LockDc(hDc);
         if(!pdc)
@@ -1222,16 +1234,16 @@ UserDrawIconEx(
         RECTL_vSetRect(&rcDest, xLeft, yTop, xLeft + cxWidth, yTop + cyHeight);
         IntLPtoDP(pdc, (LPPOINT)&rcDest, 2);
         RECTL_vOffsetRect(&rcDest, pdc->ptlDCOrig.x, pdc->ptlDCOrig.y);
-        
+
         /* Prepare the underlying surface */
         DC_vPrepareDCsForBlit(pdc, rcDest, NULL, rcDest);
-        
+
         /* Get the clip object */
         pdcClipObj = pdc->rosdc.CombinedClip;
-        
+
         /* We now have our destination surface and rectangle */
         psurfDest = pdc->dclevel.pSurface;
-        
+
         if(psurfDest == NULL)
         {
             /* Empty DC */
@@ -1281,10 +1293,10 @@ UserDrawIconEx(
 				ptr += 4;
             }
         }
-        
+
         /* Initialize color translation object */
         EXLATEOBJ_vInitialize(&exlo, psurf->ppal, psurfDest->ppal, 0xFFFFFFFF, 0xFFFFFFFF, 0);
-        
+
         /* Now do it */
         Ret = IntEngAlphaBlend(&psurfDest->SurfObj,
                                &psurf->SurfObj,
@@ -1293,9 +1305,9 @@ UserDrawIconEx(
                                &rcDest,
                                &rcSrc,
                                &blendobj);
-        
+
         EXLATEOBJ_vCleanup(&exlo);
-        
+
     CleanupAlpha:
         if(psurf) SURFACE_ShareUnlockSurface(psurf);
         if(hsurfCopy) NtGdiDeleteObjectApp(hsurfCopy);
@@ -1306,9 +1318,9 @@ UserDrawIconEx(
     if (diFlags & DI_MASK)
     {
         DWORD rop4 = (diFlags & DI_IMAGE) ? ROP4_SRCAND : ROP4_SRCCOPY;
-        
+
         EXLATEOBJ_vInitSrcMonoXlate(&exlo, psurfDest->ppal, 0x00FFFFFF, 0);
-        
+
         Ret = IntEngStretchBlt(&psurfDest->SurfObj,
                                &psurfMask->SurfObj,
                                NULL,
@@ -1321,7 +1333,7 @@ UserDrawIconEx(
                                NULL,
                                NULL,
                                rop4);
-        
+
         EXLATEOBJ_vCleanup(&exlo);
 
         if(!Ret)
@@ -1336,9 +1348,9 @@ UserDrawIconEx(
 		if (psurfColor)
         {
             DWORD rop4 = (diFlags & DI_MASK) ? ROP4_SRCINVERT : ROP4_SRCCOPY ;
-            
+
             EXLATEOBJ_vInitialize(&exlo, psurfColor->ppal, psurfDest->ppal, 0x00FFFFFF, 0x00FFFFFF, 0);
-            
+
             Ret = IntEngStretchBlt(&psurfDest->SurfObj,
                                    &psurfColor->SurfObj,
                                    NULL,
@@ -1351,7 +1363,7 @@ UserDrawIconEx(
                                    NULL,
                                    NULL,
                                    rop4);
-        
+
             EXLATEOBJ_vCleanup(&exlo);
 
             if(!Ret)
@@ -1365,9 +1377,9 @@ UserDrawIconEx(
             /* Mask bitmap holds the information in its bottom half */
             DWORD rop4 = (diFlags & DI_MASK) ? ROP4_SRCINVERT : ROP4_SRCCOPY;
             RECTL_vOffsetRect(&rcSrc, 0, pIcon->Size.cy);
-            
+
             EXLATEOBJ_vInitSrcMonoXlate(&exlo, psurfDest->ppal, 0x00FFFFFF, 0);
-        
+
             Ret = IntEngStretchBlt(&psurfDest->SurfObj,
                                    &psurfMask->SurfObj,
                                    NULL,
@@ -1380,7 +1392,7 @@ UserDrawIconEx(
                                    NULL,
                                    NULL,
                                    rop4);
-            
+
             EXLATEOBJ_vCleanup(&exlo);
 
             if(!Ret)
@@ -1407,13 +1419,13 @@ done:
         RECTL_vSetRect(&rcDest, xLeft, yTop, xLeft + cxWidth, yTop + cyHeight);
         IntLPtoDP(pdc, (LPPOINT)&rcDest, 2);
         RECTL_vOffsetRect(&rcDest, pdc->ptlDCOrig.x, pdc->ptlDCOrig.y);
-        
+
         /* Prepare the underlying surface */
         DC_vPrepareDCsForBlit(pdc, rcDest, NULL, rcDest);
-        
+
         /* Get the clip object */
         pdcClipObj = pdc->rosdc.CombinedClip;
-        
+
         /* We now have our destination surface and rectangle */
         psurfDest = pdc->dclevel.pSurface;
         if(!psurfDest)
@@ -1422,10 +1434,10 @@ done:
             DC_UnlockDc(pdc);
             goto Cleanup2;
         }
-        
+
         /* Color translation */
         EXLATEOBJ_vInitialize(&exlo, psurfOffScreen->ppal, psurfDest->ppal, 0x00FFFFFF, 0x00FFFFFF, 0);
-        
+
         /* Blt it! */
         Ret = IntEngBitBlt(&psurfDest->SurfObj,
                            &psurfOffScreen->SurfObj,
@@ -1438,7 +1450,7 @@ done:
                            NULL,
                            NULL,
                            ROP4_SRCCOPY);
-                           
+
         EXLATEOBJ_vCleanup(&exlo);
     }
 Cleanup:
@@ -1447,12 +1459,12 @@ Cleanup:
         DC_vFinishBlit(pdc, NULL);
         DC_UnlockDc(pdc);
     }
-    
+
 Cleanup2:
     /* Delete off screen rendering surface */
     if(psurfOffScreen)
         GDIOBJ_vDeleteObject(&psurfOffScreen->BaseObject);
-    
+
     /* Unlock other surfaces */
     SURFACE_ShareUnlockSurface(psurfMask);
     if(psurfColor) SURFACE_ShareUnlockSurface(psurfColor);

reactos/win32ss/user/ntuser/desktop.c

@@ -65,7 +65,9 @@ IntDesktopObjectParse(IN PVOID ParseObject,
         /* Get the current desktop */
         Desktop = CONTAINING_RECORD(NextEntry, DESKTOP, ListEntry);
 
+        /// @todo Don't mess around with the object headers!
         /* Get its name */
+        _PRAGMA_WARNING_SUPPRESS(__WARNING_DEREF_NULL_PTR)
         DesktopName = GET_DESKTOP_NAME(Desktop);
         if (DesktopName)
         {
@@ -1262,7 +1264,7 @@ NtUserCreateDesktop(
                dwDesiredAccess,
                (PVOID)&Context,
                (HANDLE*)&hdesk);
-   if (!NT_SUCCESS(Status)) 
+   if (!NT_SUCCESS(Status))
    {
       ERR("ObOpenObjectByName failed to open/create desktop\n");
       SetLastNtError(Status);
@@ -1294,7 +1296,7 @@ NtUserCreateDesktop(
 
    /* Get the desktop window class. The thread desktop does not belong to any desktop
     * so the classes created there (including the desktop class) are allocated in the shared heap
-    * It would cause problems if we used a class that belongs to the caller 
+    * It would cause problems if we used a class that belongs to the caller
     */
    ClassName.Buffer = WC_DESKTOP;
    ClassName.Length = 0;
@@ -1327,7 +1329,7 @@ NtUserCreateDesktop(
    pdesk->DesktopWindow = pWnd->head.h;
    pdesk->pDeskInfo->spwnd = pWnd;
    pWnd->fnid = FNID_DESKTOP;
-   
+
    ClassName.Buffer = MAKEINTATOM(gpsi->atomSysClass[ICLS_HWNDMESSAGE]);
    ClassName.Length = 0;
    pcls = IntGetAndReferenceClass(&ClassName, 0, TRUE);

reactos/win32ss/user/ntuser/focus.c

@@ -358,15 +358,20 @@ CanForceFG(PPROCESSINFO ppi)
 */
 
 static BOOL FASTCALL
-co_IntSetForegroundAndFocusWindow(PWND Wnd, BOOL MouseActivate)
+co_IntSetForegroundAndFocusWindow(
+    _In_ PWND Wnd,
+    _In_ BOOL MouseActivate)
 {
-   HWND hWnd = UserHMGetHandle(Wnd);
+   HWND hWnd;
    HWND hWndPrev = NULL;
    PUSER_MESSAGE_QUEUE PrevForegroundQueue;
    PTHREADINFO pti;
    BOOL fgRet = FALSE, Ret = FALSE;
 
    ASSERT_REFS_CO(Wnd);
+   NT_ASSERT(Wnd != NULL);
+
+   hWnd = UserHMGetHandle(Wnd);
 
    TRACE("SetForegroundAndFocusWindow(%x, %s)\n", hWnd, (MouseActivate ? "TRUE" : "FALSE"));
 

reactos/win32ss/user/ntuser/hook.c

@@ -1050,6 +1050,8 @@ IntRemoveHook(PHOOK Hook)
           }
           _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
           {
+              /* Do nothing */
+              (void)0;
           }
           _SEH2_END;
        }
@@ -1241,6 +1243,8 @@ co_HOOK_CallHooks( INT HookId,
           }
           _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
           {
+              /* Do nothing */
+              (void)0;
           }
           _SEH2_END;
        }

reactos/win32ss/user/ntuser/kbdlayout.c

@@ -254,9 +254,10 @@ UserLoadKbdLayout(PUNICODE_STRING pwszKLID, HKL hKL)
  */
 static
 VOID
-UnloadKbdFile(PKBDFILE pkf)
+UnloadKbdFile(_In_ PKBDFILE pkf)
 {
     PKBDFILE *ppkfLink = &gpkfList;
+    NT_ASSERT(pkf != NULL);
 
     /* Find previous object */
     while (*ppkfLink)

reactos/win32ss/user/ntuser/keyboard.c

@@ -385,7 +385,7 @@ IntTranslateChar(WORD wVirtKey,
     /* If nothing has been found in layout, check if this is ASCII control character.
        Note: we could add it to layout table, but windows does not have it there */
     if (wVirtKey >= 'A' && wVirtKey <= 'Z' &&
-        IS_KEY_DOWN(pKeyState, VK_CONTROL) &&
+        pKeyState && IS_KEY_DOWN(pKeyState, VK_CONTROL) &&
         !IS_KEY_DOWN(pKeyState, VK_MENU))
     {
         *pwcTranslatedChar = (wVirtKey - 'A') + 1; /* ASCII control character */
@@ -1097,7 +1097,7 @@ IntTranslateKbdMessage(LPMSG lpMsg,
     {
        pti->KeyboardLayout = W32kGetDefaultKeyLayout();
        pti->pClientInfo->hKL = pti->KeyboardLayout ? pti->KeyboardLayout->hkl : NULL;
-       pKbdTbl = pti->KeyboardLayout->spkf->pKbdTbl;
+       pKbdTbl = pti->KeyboardLayout ? pti->KeyboardLayout->spkf->pKbdTbl : NULL;
     }
     else
        pKbdTbl = pti->KeyboardLayout->spkf->pKbdTbl;

reactos/win32ss/user/ntuser/menu.c

@@ -249,8 +249,8 @@ IntCreateMenu(PHANDLE Handle, BOOL IsMenuBar)
    PPROCESSINFO CurrentWin32Process;
 
    Menu = (PMENU_OBJECT)UserCreateObject( gHandleTable,
-                                          NULL, 
+                                          NULL,
-                                          NULL, 
+                                          NULL,
                                           Handle,
                                           otMenu,
                                           sizeof(MENU_OBJECT));
@@ -361,8 +361,8 @@ IntCloneMenu(PMENU_OBJECT Source)
       return NULL;
 
    Menu = (PMENU_OBJECT)UserCreateObject( gHandleTable,
-                                          NULL, 
+                                          NULL,
-                                          NULL, 
+                                          NULL,
                                           &hMenu,
                                           otMenu,
                                           sizeof(MENU_OBJECT));
@@ -803,13 +803,18 @@ IntSetMenuItemInfo(PMENU_OBJECT MenuObject, PMENU_ITEM MenuItem, PROSMENUITEMINF
 }
 
 BOOL FASTCALL
-IntInsertMenuItem(PMENU_OBJECT MenuObject, UINT uItem, BOOL fByPosition,
+IntInsertMenuItem(
-                  PROSMENUITEMINFO ItemInfo)
+    _In_ PMENU_OBJECT MenuObject,
+    UINT uItem,
+    BOOL fByPosition,
+    PROSMENUITEMINFO ItemInfo)
 {
    int pos;
    PMENU_ITEM MenuItem;
    PMENU_OBJECT SubMenu = NULL;
 
+   NT_ASSERT(MenuObject != NULL);
+
    if (MAX_MENU_ITEMS <= MenuObject->MenuInfo.MenuItemCount)
    {
       EngSetLastError(ERROR_NOT_ENOUGH_MEMORY);

reactos/win32ss/user/ntuser/menu.h

@@ -64,7 +64,7 @@ BOOL FASTCALL
 IntCleanupMenus(struct _EPROCESS *Process, PPROCESSINFO Win32Process);
 
 BOOL FASTCALL
-IntInsertMenuItem(PMENU_OBJECT MenuObject, UINT uItem, BOOL fByPosition,
+IntInsertMenuItem(_In_ PMENU_OBJECT MenuObject, UINT uItem, BOOL fByPosition,
                   PROSMENUITEMINFO ItemInfo);
 
 PMENU_OBJECT FASTCALL

reactos/win32ss/user/ntuser/message.c

@@ -116,7 +116,7 @@ typedef struct tagMSGMEMORY
 }
 MSGMEMORY, *PMSGMEMORY;
 
-static MSGMEMORY MsgMemory[] =
+static MSGMEMORY g_MsgMemory[] =
 {
     { WM_CREATE, MMS_SIZE_SPECIAL, MMS_FLAG_READWRITE },
     { WM_DDE_ACK, sizeof(KMDDELPARAM), MMS_FLAG_READ },
@@ -140,8 +140,8 @@ FindMsgMemory(UINT Msg)
     PMSGMEMORY MsgMemoryEntry;
 
     /* See if this message type is present in the table */
-    for (MsgMemoryEntry = MsgMemory;
+    for (MsgMemoryEntry = g_MsgMemory;
-    MsgMemoryEntry < MsgMemory + sizeof(MsgMemory) / sizeof(MSGMEMORY);
+    MsgMemoryEntry < g_MsgMemory + sizeof(g_MsgMemory) / sizeof(MSGMEMORY);
     MsgMemoryEntry++)
     {
         if (Msg == MsgMemoryEntry->Message)
@@ -225,9 +225,9 @@ MsgMemorySize(PMSGMEMORY MsgMemoryEntry, WPARAM wParam, LPARAM lParam)
 
 UINT lParamMemorySize(UINT Msg, WPARAM wParam, LPARAM lParam)
 {
-    PMSGMEMORY MsgMemory = FindMsgMemory(Msg);
+    PMSGMEMORY MsgMemoryEntry = FindMsgMemory(Msg);
-    if(MsgMemory == NULL) return 0;
+    if(MsgMemoryEntry == NULL) return 0;
-    return MsgMemorySize(MsgMemory, wParam, lParam);
+    return MsgMemorySize(MsgMemoryEntry, wParam, lParam);
 }
 
 static NTSTATUS
@@ -388,9 +388,9 @@ UnpackParam(LPARAM lParamPacked, UINT Msg, WPARAM wParam, LPARAM lParam, BOOL No
             return STATUS_INVALID_PARAMETER;
         }
 
-        if (MsgMemory->Flags == MMS_FLAG_READWRITE)
+        if (MsgMemoryEntry->Flags == MMS_FLAG_READWRITE)
         {
-            //RtlCopyMemory((PVOID)lParam, (PVOID)lParamPacked, MsgMemory->Size);
+            //RtlCopyMemory((PVOID)lParam, (PVOID)lParamPacked, MsgMemoryEntry->Size);
         }
         ExFreePool((PVOID) lParamPacked);
         return STATUS_SUCCESS;

reactos/win32ss/user/ntuser/monitor.c

@@ -139,7 +139,7 @@ UserAttachMonitor(IN HDEV hDev)
         TRACE("Couldnt create monitor object\n");
         return STATUS_INSUFFICIENT_RESOURCES;
     }
-    
+
     pMonitor->hDev = hDev;
     pMonitor->cWndStack = 0;
 
@@ -185,7 +185,7 @@ UserDetachMonitor(IN HDEV hDev)
     {
         if (pMonitor->hDev == hDev)
             break;
-    
+
         pLink = &pMonitor->pMonitorNext;
         pMonitor = pMonitor->pMonitorNext;
     }

reactos/win32ss/user/ntuser/msgqueue.c

@@ -704,7 +704,7 @@ MsqDestroyMessage(PUSER_MESSAGE Message)
 }
 
 BOOLEAN FASTCALL
-co_MsqDispatchOneSentMessage(PUSER_MESSAGE_QUEUE MessageQueue)
+co_MsqDispatchOneSentMessage(_In_ PUSER_MESSAGE_QUEUE MessageQueue)
 {
    PUSER_SENT_MESSAGE SaveMsg, Message;
    PLIST_ENTRY Entry;
@@ -1331,7 +1331,7 @@ FASTCALL
 IntTrackMouseMove(PWND pwndTrack, PDESKTOP pDesk, PMSG msg, USHORT hittest)
 {
 //   PWND pwndTrack = IntChildrenWindowFromPoint(pwndMsg, msg->pt.x, msg->pt.y);
-   hittest = GetNCHitEx(pwndTrack, msg->pt);
+   hittest = (USHORT)GetNCHitEx(pwndTrack, msg->pt); /// @todo WTF is this???
 
    if ( pDesk->spwndTrack != pwndTrack || // Change with tracking window or
         msg->message != WM_MOUSEMOVE   || // Mouse click changes or

reactos/win32ss/user/ntuser/msgqueue.h

@@ -188,7 +188,7 @@ BOOLEAN FASTCALL MsqInitializeMessageQueue(PTHREADINFO, PUSER_MESSAGE_QUEUE);
 PUSER_MESSAGE_QUEUE FASTCALL MsqCreateMessageQueue(PTHREADINFO);
 VOID FASTCALL MsqDestroyMessageQueue(PTHREADINFO);
 INIT_FUNCTION NTSTATUS NTAPI MsqInitializeImpl(VOID);
-BOOLEAN FASTCALL co_MsqDispatchOneSentMessage(PUSER_MESSAGE_QUEUE MessageQueue);
+BOOLEAN FASTCALL co_MsqDispatchOneSentMessage(_In_ PUSER_MESSAGE_QUEUE MessageQueue);
 NTSTATUS FASTCALL
 co_MsqWaitForNewMessages(PUSER_MESSAGE_QUEUE MessageQueue, PWND WndFilter,
                       UINT MsgFilterMin, UINT MsgFilterMax);

reactos/win32ss/user/ntuser/scrollbar.c

@@ -345,7 +345,7 @@ co_IntSetScrollInfo(PWND Window, INT nBar, LPCSCROLLINFO lpsi, BOOL bRedraw)
    UINT new_flags;
    INT action = 0;
    PSBDATA pSBData;
-   DWORD OldPos;
+   DWORD OldPos = 0;
    BOOL bChangeParams = FALSE; /* Don't show/hide scrollbar if params don't change */
 
    ASSERT_REFS_CO(Window);

reactos/win32ss/user/ntuser/sysparams.c

@@ -617,7 +617,7 @@ SpiSetWallpaper(PVOID pvParam, FLONG fl)
     }
 
     /* Capture UNICODE_STRING */
-    bResult = SpiMemCopy(&ustr, pvParam, sizeof(UNICODE_STRING), fl & SPIF_PROTECT, 0);
+    bResult = SpiMemCopy(&ustr, pvParam, sizeof(ustr), fl & SPIF_PROTECT, 0);
     if (!bResult) return 0;
     if (ustr.Length > MAX_PATH * sizeof(WCHAR))
         return 0;

reactos/win32ss/user/ntuser/sysparams.h

@@ -141,7 +141,7 @@ typedef struct _SPIVALUES
     ULONG cxWallpaper, cyWallpaper;
     WALLPAPER_MODE WallpaperMode;
     UNICODE_STRING ustrWallpaper;
-    WCHAR awcWallpaper[MAX_PATH];
+    WCHAR awcWallpaper[MAX_PATH + 1];
 
     BOOL bHandHeld;
     BOOL bFastTaskSwitch;

reactos/win32ss/user/ntuser/timer.c

@@ -359,7 +359,7 @@ FASTCALL
 StartTheTimers(VOID)
 {
   // Need to start gdi syncro timers then start timer with Hang App proc
-  // that calles Idle process so the screen savers will know to run......    
+  // that calles Idle process so the screen savers will know to run......
   IntSetTimer(NULL, 0, 1000, HungAppSysTimerProc, TMRF_RIT);
 // Test Timers
 //  IntSetTimer(NULL, 0, 1000, SystemTimerProc, TMRF_RIT);
@@ -584,9 +584,14 @@ NTAPI
 InitTimerImpl(VOID)
 {
    ULONG BitmapBytes;
-   
+
    /* Allocate FAST_MUTEX from non paged pool */
    Mutex = ExAllocatePoolWithTag(NonPagedPool, sizeof(FAST_MUTEX), TAG_INTERNAL_SYNC);
+   if (!Mutex)
+   {
+       return STATUS_INSUFFICIENT_RESOURCES;
+   }
+
    ExInitializeFastMutex(Mutex);
 
    BitmapBytes = ROUND_UP(NUM_WINDOW_LESS_TIMERS, sizeof(ULONG) * 8) / 8;

reactos/win32ss/user/ntuser/windc.c

@@ -852,7 +852,7 @@ DceResetActiveDCEs(PWND Window)
          {
             if (!pDCE->hwndCurrent)
                CurrentWindow = NULL;
-            else 
+            else
                CurrentWindow = UserGetWindowObject(pDCE->hwndCurrent);
             if (NULL == CurrentWindow)
             {

reactos/win32ss/user/ntuser/window.c

@@ -497,6 +497,7 @@ static LRESULT co_UserFreeWindow(PWND Window,
    /* flush the message queue */
    MsqRemoveWindowMessagesFromQueue(Window);
 
+   NT_ASSERT(Window->head.pti);
    IntDereferenceMessageQueue(Window->head.pti->MessageQueue);
 
    /* from now on no messages can be sent to this window anymore */
@@ -1987,7 +1988,7 @@ co_UserCreateWindowEx(CREATESTRUCTW* Cs,
    PWINSTATION_OBJECT WinSta;
    PCLS Class = NULL;
    SIZE Size;
-   POINT MaxPos;
+   POINT MaxSize, MaxPos, MinTrack, MaxTrack;
    CBT_CREATEWNDW * pCbtCreate;
    LRESULT Result;
    USER_REFERENCE_ENTRY ParentRef, Ref;
@@ -2190,8 +2191,6 @@ co_UserCreateWindowEx(CREATESTRUCTW* Cs,
 
    if ((Cs->style & WS_THICKFRAME) || !(Cs->style & (WS_POPUP | WS_CHILD)))
    {
-      POINT MaxSize, MaxPos, MinTrack, MaxTrack;
-
       co_WinPosGetMinMaxInfo(Window, &MaxSize, &MaxPos, &MinTrack, &MaxTrack);
       if (Size.cx > MaxTrack.x) Size.cx = MaxTrack.x;
       if (Size.cy > MaxTrack.y) Size.cy = MaxTrack.y;
@@ -2542,7 +2541,7 @@ BOOLEAN FASTCALL co_UserDestroyWindow(PWND Window)
 
    TRACE("co_UserDestroyWindow \n");
 
-   /* Check for owner thread */  
+   /* Check for owner thread */
    if ( Window->head.pti != PsGetCurrentThreadWin32Thread())
    {
        /* Check if we are destroying the desktop window */
@@ -2627,7 +2626,7 @@ BOOLEAN FASTCALL co_UserDestroyWindow(PWND Window)
     * Check if this window is the Shell's Desktop Window. If so set hShellWindow to NULL
     */
 
-   if ((ti != NULL) & (ti->pDeskInfo != NULL))
+   if ((ti != NULL) && (ti->pDeskInfo != NULL))
    {
       if (ti->pDeskInfo->hShellWindow == hWnd)
       {
@@ -3074,8 +3073,6 @@ PWND FASTCALL UserGetAncestor(PWND Wnd, UINT Type)
 
             for (;;)
             {
-               PWND Parent;
-
                Parent = IntGetParent(WndAncestor);
 
                if (!Parent)

reactos/win32ss/user/ntuser/winsta.c

@@ -57,7 +57,10 @@ UserCreateWinstaDirectoy()
     Peb = NtCurrentPeb();
     if(Peb->SessionId == 0)
     {
-        RtlCreateUnicodeString(&gustrWindowStationsDir, WINSTA_OBJ_DIR);
+        if (!RtlCreateUnicodeString(&gustrWindowStationsDir, WINSTA_OBJ_DIR))
+        {
+            return STATUS_INSUFFICIENT_RESOURCES;
+        }
     }
     else
     {
@@ -67,7 +70,10 @@ UserCreateWinstaDirectoy()
                  Peb->SessionId,
                  WINSTA_OBJ_DIR);
 
-        RtlCreateUnicodeString( &gustrWindowStationsDir, wstrWindowStationsDir);
+        if (!RtlCreateUnicodeString(&gustrWindowStationsDir, wstrWindowStationsDir))
+        {
+            return STATUS_INSUFFICIENT_RESOURCES;
+        }
     }
 
    InitializeObjectAttributes(&ObjectAttributes,
@@ -1024,27 +1030,30 @@ BuildWindowStationNameList(
                                       &ReturnLength);
       if (STATUS_BUFFER_TOO_SMALL == Status)
       {
-         BufferSize = ReturnLength;
+         ObDereferenceObject(DirectoryHandle);
-         Buffer = ExAllocatePoolWithTag(PagedPool, BufferSize, TAG_WINSTA);
+         return STATUS_NO_MEMORY;
-         if (NULL == Buffer)
+      }
-         {
-            ObDereferenceObject(DirectoryHandle);
-            return STATUS_NO_MEMORY;
-         }
 
-         /* We should have a sufficiently large buffer now */
+      BufferSize = ReturnLength;
-         Context = 0;
+      Buffer = ExAllocatePoolWithTag(PagedPool, BufferSize, TAG_WINSTA);
-         Status = ZwQueryDirectoryObject(DirectoryHandle, Buffer, BufferSize,
+      if (NULL == Buffer)
-                                         FALSE, TRUE, &Context, &ReturnLength);
+      {
-         if (! NT_SUCCESS(Status) ||
+         ObDereferenceObject(DirectoryHandle);
-               STATUS_NO_MORE_ENTRIES != ZwQueryDirectoryObject(DirectoryHandle, NULL, 0, FALSE,
+         return STATUS_NO_MEMORY;
-                     FALSE, &Context, NULL))
+      }
-         {
+
-            /* Something went wrong, maybe someone added a directory entry? Just give up. */
+      /* We should have a sufficiently large buffer now */
-            ExFreePoolWithTag(Buffer, TAG_WINSTA);
+      Context = 0;
-            ObDereferenceObject(DirectoryHandle);
+      Status = ZwQueryDirectoryObject(DirectoryHandle, Buffer, BufferSize,
-            return NT_SUCCESS(Status) ? STATUS_INTERNAL_ERROR : Status;
+                                      FALSE, TRUE, &Context, &ReturnLength);
-         }
+      if (! NT_SUCCESS(Status) ||
+            STATUS_NO_MORE_ENTRIES != ZwQueryDirectoryObject(DirectoryHandle, NULL, 0, FALSE,
+                  FALSE, &Context, NULL))
+      {
+         /* Something went wrong, maybe someone added a directory entry? Just give up. */
+         ExFreePoolWithTag(Buffer, TAG_WINSTA);
+         ObDereferenceObject(DirectoryHandle);
+         return NT_SUCCESS(Status) ? STATUS_INTERNAL_ERROR : Status;
       }
    }
 
@@ -1130,7 +1139,7 @@ BuildWindowStationNameList(
    /*
     * Clean up
     */
-   if (NULL != Buffer && Buffer != InitialBuffer)
+   if (Buffer != InitialBuffer)
    {
       ExFreePoolWithTag(Buffer, TAG_WINSTA);
    }
@@ -1153,6 +1162,7 @@ BuildDesktopNameList(
    DWORD EntryCount;
    ULONG ReturnLength;
    WCHAR NullWchar;
+   PUNICODE_STRING DesktopName;
 
    Status = IntValidateWindowStationHandle(hWindowStation,
                                            KernelMode,
@@ -1175,7 +1185,8 @@ BuildDesktopNameList(
          DesktopEntry = DesktopEntry->Flink)
    {
       DesktopObject = CONTAINING_RECORD(DesktopEntry, DESKTOP, ListEntry);
-      ReturnLength += ((PUNICODE_STRING)GET_DESKTOP_NAME(DesktopObject))->Length + sizeof(WCHAR);
+      DesktopName = GET_DESKTOP_NAME(DesktopObject);
+      if (DesktopName) ReturnLength += DesktopName->Length + sizeof(WCHAR);
       EntryCount++;
    }
    TRACE("Required size: %d Entry count: %d\n", ReturnLength, EntryCount);
@@ -1218,14 +1229,18 @@ BuildDesktopNameList(
          DesktopEntry = DesktopEntry->Flink)
    {
       DesktopObject = CONTAINING_RECORD(DesktopEntry, DESKTOP, ListEntry);
-      Status = MmCopyToCaller(lpBuffer, ((PUNICODE_STRING)GET_DESKTOP_NAME(DesktopObject))->Buffer, ((PUNICODE_STRING)GET_DESKTOP_NAME(DesktopObject))->Length);
+      _PRAGMA_WARNING_SUPPRESS(__WARNING_DEREF_NULL_PTR)
+      DesktopName = GET_DESKTOP_NAME(DesktopObject);/// @todo Don't mess around with the object headers!
+      if (!DesktopName) continue;
+
+      Status = MmCopyToCaller(lpBuffer, DesktopName->Buffer, DesktopName->Length);
       if (! NT_SUCCESS(Status))
       {
          KeReleaseSpinLock(&WindowStation->Lock, OldLevel);
          ObDereferenceObject(WindowStation);
          return Status;
       }
-      lpBuffer = (PVOID) ((PCHAR) lpBuffer + ((PUNICODE_STRING)GET_DESKTOP_NAME(DesktopObject))->Length);
+      lpBuffer = (PVOID) ((PCHAR)lpBuffer + DesktopName->Length);
       Status = MmCopyToCaller(lpBuffer, &NullWchar, sizeof(WCHAR));
       if (! NT_SUCCESS(Status))
       {