Patch, as suggested by Mike Nordell, to verify IRQL before calling unsafe fast mutex...

[reactos.git] / reactos / subsys / win32k / objects / gdiobj.c

diff --git a/reactos/subsys/win32k/objects/gdiobj.c b/reactos/subsys/win32k/objects/gdiobj.c
index d14cd52..f6c80d3 100644 (file)
--- a/reactos/subsys/win32k/objects/gdiobj.c
+++ b/reactos/subsys/win32k/objects/gdiobj.c
@@ -19,7 +19,7 @@
 /*
  * GDIOBJ.C - GDI object manipulation routines
  *
- * $Id: gdiobj.c,v 1.44 2003/09/26 10:45:45 gvg Exp $
+ * $Id: gdiobj.c,v 1.46 2003/10/15 03:09:23 vizzini Exp $
  *
  */
 
@@ -66,7 +66,7 @@
 #define GDI_VALID_OBJECT(h, obj, t, f) \
   (NULL != (obj) \
    && (GDI_MAGIC_TO_TYPE((obj)->Magic) == (t) || GDI_OBJECT_TYPE_DONTCARE == (t)) \
-   && (GDI_HANDLE_GET_TYPE((h)) == (t) || GDI_OBJECT_TYPE_DONTCARE == (t)) \
+   && (GDI_HANDLE_GET_TYPE((h)) == GDI_MAGIC_TO_TYPE((obj)->Magic)) \
    && (((obj)->hProcessId == PsGetCurrentProcessId()) \
        || (GDI_GLOBAL_PROCESS == (obj)->hProcessId) \
        || ((f) & GDIOBJFLAG_IGNOREPID)))
@@ -154,6 +154,14 @@ static PGDI_HANDLE_TABLE FASTCALL
 GDIOBJ_iAllocHandleTable (WORD Size)
 {
   PGDI_HANDLE_TABLE  handleTable;
+  KIRQL OldIrql;
+  BOOLEAN IrqlRaised = FALSE;
+
+  if(KeGetCurrentIrql() < APC_LEVEL)
+    {
+      KeRaiseIrql(APC_LEVEL, &OldIrql);
+      IrqlRaised = TRUE;
+    }
 
   ExAcquireFastMutexUnsafe (&HandleTableMutex);
   handleTable = ExAllocatePool(PagedPool,
@@ -166,6 +174,9 @@ GDIOBJ_iAllocHandleTable (WORD Size)
   handleTable->wTableSize = Size;
   ExReleaseFastMutexUnsafe (&HandleTableMutex);
 
+  if(IrqlRaised)
+    KeLowerIrql(OldIrql);
+
   return handleTable;
 }
 
@@ -192,6 +203,14 @@ static WORD FASTCALL
 GDIOBJ_iGetNextOpenHandleIndex (void)
 {
   WORD tableIndex;
+  BOOLEAN IrqlRaised = FALSE;
+  KIRQL OldIrql;
+
+  if(KeGetCurrentIrql() < APC_LEVEL)
+    {
+      KeRaiseIrql(APC_LEVEL, &OldIrql);
+      IrqlRaised = TRUE;
+    }
 
   ExAcquireFastMutexUnsafe (&HandleTableMutex);
   for (tableIndex = 1; tableIndex < HandleTable->wTableSize; tableIndex++)
@@ -204,6 +223,9 @@ GDIOBJ_iGetNextOpenHandleIndex (void)
     }
   ExReleaseFastMutexUnsafe (&HandleTableMutex);
 
+  if(IrqlRaised)
+    KeLowerIrql(OldIrql);
+
   return (tableIndex < HandleTable->wTableSize) ? tableIndex : 0;
 }
 
@@ -450,7 +472,8 @@ GDIOBJ_GetObjectType(HGDIOBJ ObjectHandle)
   PGDIOBJHDR ObjHdr;
 
   ObjHdr = GDIOBJ_iGetObjectForIndex(GDI_HANDLE_GET_INDEX(ObjectHandle));
-  if (NULL == ObjHdr)
+  if (NULL == ObjHdr
+      || ! GDI_VALID_OBJECT(ObjectHandle, ObjHdr, GDI_MAGIC_TO_TYPE(ObjHdr->Magic), 0))
     {
       DPRINT1("Invalid ObjectHandle 0x%08x\n", ObjectHandle);
       return 0;
@@ -572,8 +595,8 @@ CleanupForProcess (struct _EPROCESS *Process, INT Pid)
           (INT) objectHeader->hProcessId == Pid)
        {
          DPRINT("CleanupForProcess: %d, process: %d, locks: %d, magic: 0x%x", i, objectHeader->hProcessId, objectHeader->dwCount, objectHeader->Magic);
-         GDIOBJ_FreeObj(GDI_HANDLE_CREATE(i, GDI_OBJECT_TYPE_DONTCARE),
-                        GDI_OBJECT_TYPE_DONTCARE,
+         GDIOBJ_FreeObj(GDI_HANDLE_CREATE(i, GDI_MAGIC_TO_TYPE(objectHeader->Magic)),
+                        GDI_MAGIC_TO_TYPE(objectHeader->Magic),
                         GDIOBJFLAG_IGNOREPID | GDIOBJFLAG_IGNORELOCK);
        }
     }