[WIN32K]

Protect access to the result pointer from KeUserModeCallback with SEH. Fixes a possible kernel mode crash.

svn path=/trunk/; revision=48437

diff --git a/reactos/subsystems/win32/win32k/ntuser/callback.c b/reactos/subsystems/win32/win32k/ntuser/callback.c
index eb4db06..0bcbaf2 100644 (file)
--- a/reactos/subsystems/win32/win32k/ntuser/callback.c
+++ b/reactos/subsystems/win32/win32k/ntuser/callback.c
@@ -267,7 +267,16 @@ co_IntLoadSysMenuTemplate()
    if (NT_SUCCESS(Status))
    {
       /* Simulate old behaviour: copy into our local buffer */
    if (NT_SUCCESS(Status))
    {
       /* Simulate old behaviour: copy into our local buffer */

-      Result = *(LRESULT*)ResultPointer;
+      _SEH2_TRY
+      {
+        ProbeForRead(ResultPointer, sizeof(LRESULT), 1);
+        Result = *(LRESULT*)ResultPointer;
+      }
+      _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+      {
+        Result = 0;
+      }
+      _SEH2_END

    }
 
    UserEnterCo();
    }
 
    UserEnterCo();