mirror of
https://github.com/reactos/reactos.git
synced 2024-10-04 16:36:11 +00:00
[WIN32K:NTUSER]
- Assert sanity of object reference counts in UserReferenceObject, UserDereferenceObject and UserDeleteObject. If you hit a cLockObj < 0x10000 assertion failure, you found yourself a use after free (RtlFreeHeap will put a LIST_ENTRY in this location, so a freed item has a kernel pointer there). See CORE-8703 for an example. svn path=/trunk/; revision=66243
This commit is contained in:
parent
c4f27cbca8
commit
f0c36353f3
|
@ -586,9 +586,10 @@ BOOL
|
|||
FASTCALL
|
||||
UserDereferenceObject(PVOID Object)
|
||||
{
|
||||
PHEAD ObjHead = (PHEAD)Object;
|
||||
PHEAD ObjHead = Object;
|
||||
|
||||
ASSERT(ObjHead->cLockObj >= 1);
|
||||
ASSERT(ObjHead->cLockObj < 0x10000);
|
||||
|
||||
if (--ObjHead->cLockObj == 0)
|
||||
{
|
||||
|
@ -663,6 +664,7 @@ UserDeleteObject(HANDLE h, HANDLE_TYPE type )
|
|||
if (!body) return FALSE;
|
||||
|
||||
ASSERT( ((PHEAD)body)->cLockObj >= 1);
|
||||
ASSERT( ((PHEAD)body)->cLockObj < 0x10000);
|
||||
|
||||
return UserFreeHandle(gHandleTable, h);
|
||||
}
|
||||
|
@ -671,9 +673,11 @@ VOID
|
|||
FASTCALL
|
||||
UserReferenceObject(PVOID obj)
|
||||
{
|
||||
ASSERT(((PHEAD)obj)->cLockObj >= 0);
|
||||
PHEAD ObjHead = obj;
|
||||
ASSERT(ObjHead->cLockObj >= 0);
|
||||
ASSERT(ObjHead->cLockObj < 0x10000);
|
||||
|
||||
((PHEAD)obj)->cLockObj++;
|
||||
ObjHead->cLockObj++;
|
||||
}
|
||||
|
||||
PVOID
|
||||
|
|
Loading…
Reference in a new issue