Details
-
Bug
-
Resolution: Won't Fix
-
Major
-
None
-
None
-
Operating System: ReactOS
Platform: x86 Hardware
Description
Win32k assumes that user32 dll is placed at the same address in different processes. Scenario:
1. RegisterClientPFN() is called in Process 1. NtUserInitializeClientPfnArrays() saves pointers to user32 functions in gpsi->aStoCidPfn[], a global variable.
2. UserRegisterSystemClasses() puts these pointers in lpfnWndProc in class structures.
3. Process 2 calls NtUserCreateDesktop(), IntGetClassForDesktop() copies a pointer from a class into lpfnWndProc in a wnd structure.
4. Then co_IntCreateWindowEx() congratulates a newly created desktop window, sending a WM_NCCREATE message. Crash.
Attachments
Issue Links
- blocks
-
-
- Resolved
-