From: Tim Clem tclem@codeweavers.com
lparam != 0 does not imply lparam_size is big enough for a MSG, so we can end up manipulating memory past the end of the buffer.
Co-authored-by: Jacek Caban jacek@codeweavers.com --- dlls/wow64win/user.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/dlls/wow64win/user.c b/dlls/wow64win/user.c index e1ce2dd8321..d0ec94259b1 100644 --- a/dlls/wow64win/user.c +++ b/dlls/wow64win/user.c @@ -704,7 +704,6 @@ static NTSTATUS WINAPI wow64_NtUserCallWindowsHook( void *arg, ULONG size ) BOOL prev_unicode; BOOL next_unicode; } *params32; - void *ret_lparam = (void *)params->lparam; UINT lparam32_size = 0, module_size, size32; void *ret_ptr; ULONG ret_len; @@ -738,13 +737,11 @@ static NTSTATUS WINAPI wow64_NtUserCallWindowsHook( void *arg, ULONG size ) case WH_SYSMSGFILTER: case WH_MSGFILTER: case WH_GETMESSAGE: - msg_32to64( (MSG *)(params + 1), (const MSG32 *)(params32 + 1) ); - if (ret_lparam) + if (params->lparam_size == sizeof(MSG)) { - memcpy( ret_lparam, params + 1, params->lparam_size ); - return ret; + msg_32to64( (MSG *)(params + 1), (const MSG32 *)(params32 + 1) ); + return NtCallbackReturn( params + 1, params->lparam_size, ret ); } - return NtCallbackReturn( params + 1, params->lparam_size, ret ); }
return ret;