From 9c9f4cb9e9bdceccff0b6ed37965e301666b98f8 Mon Sep 17 00:00:00 2001
From: Timo Kreuzer <timo.kreuzer@reactos.org>
Date: Tue, 3 Aug 2010 21:36:39 +0000
Subject: [PATCH] [WIN32K] Protect access to the result pointer from
 KeUserModeCallback with SEH. Fixes a possible kernel mode crash.

svn path=/trunk/; revision=48437
---
 reactos/subsystems/win32/win32k/ntuser/callback.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/reactos/subsystems/win32/win32k/ntuser/callback.c b/reactos/subsystems/win32/win32k/ntuser/callback.c
index eb4db061d10..0bcbaf2727c 100644
--- a/reactos/subsystems/win32/win32k/ntuser/callback.c
+++ b/reactos/subsystems/win32/win32k/ntuser/callback.c
@@ -267,7 +267,16 @@ co_IntLoadSysMenuTemplate()
    if (NT_SUCCESS(Status))
    {
       /* Simulate old behaviour: copy into our local buffer */
-      Result = *(LRESULT*)ResultPointer;
+      _SEH2_TRY
+      {
+        ProbeForRead(ResultPointer, sizeof(LRESULT), 1);
+        Result = *(LRESULT*)ResultPointer;
+      }
+      _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+      {
+        Result = 0;
+      }
+      _SEH2_END
    }
 
    UserEnterCo();
-- 
2.17.1