From 424bbf064b0ae9c65ad818df3ea85530da5b4844 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Wed, 19 Apr 2017 12:21:57 +0000
Subject: [PATCH] [KMTESTS:OB] - After ObCreateObject+ObInsertObject a handle
 close is enough to destroy the object, so do not dereference it in addition.
 Fixes use after free. CORE-11474

svn path=/trunk/; revision=74375
---
 rostests/kmtests/ntos_ob/ObType.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rostests/kmtests/ntos_ob/ObType.c b/rostests/kmtests/ntos_ob/ObType.c
index 1ec3e249d0c..73f860f961f 100644
--- a/rostests/kmtests/ntos_ob/ObType.c
+++ b/rostests/kmtests/ntos_ob/ObType.c
@@ -341,9 +341,11 @@ ObtClose(
         if (!skip(ObBody[i] != NULL, "Nothing to dereference\n"))
         {
             if (ObHandle1[i]) CheckObject(ObHandle1[i], 3LU, 1LU);
+            Ret = ObReferenceObject(ObBody[i]);
+            if (ObHandle1[i]) CheckObject(ObHandle1[i], 4LU, 1LU);
             Ret = ObDereferenceObject(ObBody[i]);
-            ok_eq_longptr(Ret, (LONG_PTR)1);
-            if (ObHandle1[i]) CheckObject(ObHandle1[i], 2LU, 1LU);
+            ok_eq_longptr(Ret, (LONG_PTR)2);
+            if (ObHandle1[i]) CheckObject(ObHandle1[i], 3LU, 1LU);
             ObBody[i] = NULL;
         }
         if (!skip(ObHandle1[i] != NULL, "Nothing to close\n"))
-- 
2.17.1