Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-07-05 12:15:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

[WIN32K:NTUSER]

Browse source 
- Assert sanity of object reference counts in UserReferenceObject, UserDereferenceObject and UserDeleteObject. If you hit a cLockObj < 0x10000 assertion failure, you found yourself a use after free (RtlFreeHeap will put a LIST_ENTRY in this location, so a freed item has a kernel pointer there).
See CORE-8703 for an example.

svn path=/trunk/; revision=66243
This commit is contained in:
Thomas Faber 2015-02-13 10:11:50 +00:00
parent c4f27cbca8
commit f0c36353f3
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
reactos/win32ss/user/ntuser/object.c
View file

@ -586,9 +586,10 @@ BOOL
FASTCALL
UserDereferenceObject(PVOID Object)
{
PHEAD ObjHead = (PHEAD)Object;
PHEAD ObjHead = Object;
ASSERT(ObjHead->cLockObj >= 1);
ASSERT(ObjHead->cLockObj < 0x10000);
if (--ObjHead->cLockObj == 0)
{
@ -663,6 +664,7 @@ UserDeleteObject(HANDLE h, HANDLE_TYPE type )
if (!body) return FALSE;
ASSERT( ((PHEAD)body)->cLockObj >= 1);
ASSERT( ((PHEAD)body)->cLockObj < 0x10000);
return UserFreeHandle(gHandleTable, h);
}
@ -671,9 +673,11 @@ VOID
FASTCALL
UserReferenceObject(PVOID obj)
{
ASSERT(((PHEAD)obj)->cLockObj >= 0);
PHEAD ObjHead = obj;
ASSERT(ObjHead->cLockObj >= 0);
ASSERT(ObjHead->cLockObj < 0x10000);
((PHEAD)obj)->cLockObj++;
ObjHead->cLockObj++;
}
PVOID