Module: wine Branch: master Commit: a001c0a030abff2bbcfd597c5786736ca30a6835 URL: https://gitlab.winehq.org/wine/wine/-/commit/a001c0a030abff2bbcfd597c5786736... Author: Tim Clem <tclem(a)codeweavers.com> Date: Mon May 8 14:08:13 2023 -0700 wow64win: Only marshal MSGs in wow64_NtUserCallWindowsHook if needed. lparam != 0 does not imply lparam_size is big enough for a MSG, so we can end up manipulating memory past the end of the buffer. Co-authored-by: Jacek Caban <jacek(a)codeweavers.com> --- dlls/wow64win/user.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/dlls/wow64win/user.c b/dlls/wow64win/user.c index 3d0041a7e04..1f378aa0a76 100644 --- a/dlls/wow64win/user.c +++ b/dlls/wow64win/user.c @@ -704,7 +704,6 @@ static NTSTATUS WINAPI wow64_NtUserCallWindowsHook( void *arg, ULONG size ) BOOL prev_unicode; BOOL next_unicode; } *params32; - void *ret_lparam = (void *)params->lparam; UINT lparam32_size = 0, module_size, size32; void *ret_ptr; ULONG ret_len; @@ -738,13 +737,11 @@ static NTSTATUS WINAPI wow64_NtUserCallWindowsHook( void *arg, ULONG size ) case WH_SYSMSGFILTER: case WH_MSGFILTER: case WH_GETMESSAGE: - msg_32to64( (MSG *)(params + 1), (const MSG32 *)(params32 + 1) ); - if (ret_lparam) + if (params->lparam_size == sizeof(MSG)) { - memcpy( ret_lparam, params + 1, params->lparam_size ); - return ret; + msg_32to64( (MSG *)(params + 1), (const MSG32 *)(params32 + 1) ); + return NtCallbackReturn( params + 1, params->lparam_size, ret ); } - return NtCallbackReturn( params + 1, params->lparam_size, ret ); } return ret;