[WIN32K]
authorTimo Kreuzer <timo.kreuzer@reactos.org>
Tue, 3 Aug 2010 21:36:39 +0000 (21:36 +0000)
committerTimo Kreuzer <timo.kreuzer@reactos.org>
Tue, 3 Aug 2010 21:36:39 +0000 (21:36 +0000)
Protect access to the result pointer from KeUserModeCallback with SEH. Fixes a possible kernel mode crash.

svn path=/trunk/; revision=48437

reactos/subsystems/win32/win32k/ntuser/callback.c

index eb4db06..0bcbaf2 100644 (file)
@@ -267,7 +267,16 @@ co_IntLoadSysMenuTemplate()
    if (NT_SUCCESS(Status))
    {
       /* Simulate old behaviour: copy into our local buffer */
    if (NT_SUCCESS(Status))
    {
       /* Simulate old behaviour: copy into our local buffer */
-      Result = *(LRESULT*)ResultPointer;
+      _SEH2_TRY
+      {
+        ProbeForRead(ResultPointer, sizeof(LRESULT), 1);
+        Result = *(LRESULT*)ResultPointer;
+      }
+      _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+      {
+        Result = 0;
+      }
+      _SEH2_END
    }
 
    UserEnterCo();
    }
 
    UserEnterCo();