From c524a09a17ad438f30008d34c23272727b4d2267 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Mon, 12 Jun 2017 19:37:58 +0000
Subject: [PATCH] [WIN32K:NTUSER] - Add a hack to avoid doubly freeing a DCE in
 IntDestroyClass. Since we don't implement W32PF_OWNDCCLEANUP and always free
 DCEs unconditionally in DceFreeDCE, it is not safe to access the class DCE
 here (and probably other places) since it could have been deleted by a dying
 thread. CORE-13415 #resolve

svn path=/trunk/; revision=75014
---
 reactos/win32ss/user/ntuser/class.c | 2 +-
 reactos/win32ss/user/ntuser/dce.h   | 2 +-
 reactos/win32ss/user/ntuser/windc.c | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/reactos/win32ss/user/ntuser/class.c b/reactos/win32ss/user/ntuser/class.c
index e4ac2605fd1..d5c13246469 100644
--- a/reactos/win32ss/user/ntuser/class.c
+++ b/reactos/win32ss/user/ntuser/class.c
@@ -261,7 +261,7 @@ IntDestroyClass(IN OUT PCLS Class)
 
         if (Class->pdce)
         {
-           DceFreeClassDCE(((PDCE)Class->pdce)->hDC);
+           DceFreeClassDCE(Class->pdce);
            Class->pdce = NULL;
         }
 
diff --git a/reactos/win32ss/user/ntuser/dce.h b/reactos/win32ss/user/ntuser/dce.h
index 882385cda80..3f834c31da3 100644
--- a/reactos/win32ss/user/ntuser/dce.h
+++ b/reactos/win32ss/user/ntuser/dce.h
@@ -47,7 +47,7 @@ HWND FASTCALL IntWindowFromDC(HDC hDc);
 void FASTCALL DceFreeDCE(PDCE dce, BOOLEAN Force);
 void FASTCALL DceEmptyCache(void);
 VOID FASTCALL DceResetActiveDCEs(PWND Window);
-void FASTCALL DceFreeClassDCE(HDC);
+void FASTCALL DceFreeClassDCE(PDCE);
 HWND FASTCALL UserGethWnd(HDC,PWNDOBJ*);
 void FASTCALL DceFreeWindowDCE(PWND);
 void FASTCALL DceFreeThreadDCE(PTHREADINFO);
diff --git a/reactos/win32ss/user/ntuser/windc.c b/reactos/win32ss/user/ntuser/windc.c
index 1cd4697c022..e6ad147c294 100644
--- a/reactos/win32ss/user/ntuser/windc.c
+++ b/reactos/win32ss/user/ntuser/windc.c
@@ -766,7 +766,7 @@ DceFreeWindowDCE(PWND Window)
 }
 
 void FASTCALL
-DceFreeClassDCE(HDC hDC)
+DceFreeClassDCE(PDCE pdceClass)
 {
    PDCE pDCE;
    PLIST_ENTRY ListEntry;
@@ -776,7 +776,7 @@ DceFreeClassDCE(HDC hDC)
    {
        pDCE = CONTAINING_RECORD(ListEntry, DCE, List);
        ListEntry = ListEntry->Flink;
-       if (pDCE->hDC == hDC)
+       if (pDCE == pdceClass)
        {
           DceFreeDCE(pDCE, TRUE); // Might have gone cheap!
        }
-- 
2.17.1