mirror of
https://github.com/reactos/reactos.git
synced 2024-10-04 16:36:11 +00:00
[WIN32K:NTUSER]
- Assert sanity of object reference counts in UserReferenceObject, UserDereferenceObject and UserDeleteObject. If you hit a cLockObj < 0x10000 assertion failure, you found yourself a use after free (RtlFreeHeap will put a LIST_ENTRY in this location, so a freed item has a kernel pointer there). See CORE-8703 for an example. svn path=/trunk/; revision=66243
This commit is contained in:
parent
c4f27cbca8
commit
f0c36353f3
|
@ -586,9 +586,10 @@ BOOL
|
||||||
FASTCALL
|
FASTCALL
|
||||||
UserDereferenceObject(PVOID Object)
|
UserDereferenceObject(PVOID Object)
|
||||||
{
|
{
|
||||||
PHEAD ObjHead = (PHEAD)Object;
|
PHEAD ObjHead = Object;
|
||||||
|
|
||||||
ASSERT(ObjHead->cLockObj >= 1);
|
ASSERT(ObjHead->cLockObj >= 1);
|
||||||
|
ASSERT(ObjHead->cLockObj < 0x10000);
|
||||||
|
|
||||||
if (--ObjHead->cLockObj == 0)
|
if (--ObjHead->cLockObj == 0)
|
||||||
{
|
{
|
||||||
|
@ -663,6 +664,7 @@ UserDeleteObject(HANDLE h, HANDLE_TYPE type )
|
||||||
if (!body) return FALSE;
|
if (!body) return FALSE;
|
||||||
|
|
||||||
ASSERT( ((PHEAD)body)->cLockObj >= 1);
|
ASSERT( ((PHEAD)body)->cLockObj >= 1);
|
||||||
|
ASSERT( ((PHEAD)body)->cLockObj < 0x10000);
|
||||||
|
|
||||||
return UserFreeHandle(gHandleTable, h);
|
return UserFreeHandle(gHandleTable, h);
|
||||||
}
|
}
|
||||||
|
@ -671,9 +673,11 @@ VOID
|
||||||
FASTCALL
|
FASTCALL
|
||||||
UserReferenceObject(PVOID obj)
|
UserReferenceObject(PVOID obj)
|
||||||
{
|
{
|
||||||
ASSERT(((PHEAD)obj)->cLockObj >= 0);
|
PHEAD ObjHead = obj;
|
||||||
|
ASSERT(ObjHead->cLockObj >= 0);
|
||||||
|
ASSERT(ObjHead->cLockObj < 0x10000);
|
||||||
|
|
||||||
((PHEAD)obj)->cLockObj++;
|
ObjHead->cLockObj++;
|
||||||
}
|
}
|
||||||
|
|
||||||
PVOID
|
PVOID
|
||||||
|
|
Loading…
Reference in a new issue