From 6c597bac2e91c84b5c18ef820295cb5a1e642145 Mon Sep 17 00:00:00 2001
From: Jeff Zaroyko <jeffz@jeffz.name>
Date: Sat, 29 Nov 2008 09:51:45 +1100
Subject: [PATCH] ntdll: Avoid NULL deref in RtlDeleteTimer.

---
 dlls/ntdll/tests/rtl.c  | 11 +++++++++++
 dlls/ntdll/threadpool.c |  5 ++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/dlls/ntdll/tests/rtl.c b/dlls/ntdll/tests/rtl.c
index 415f0dbbf17..fffe9ac8c1a 100644
--- a/dlls/ntdll/tests/rtl.c
+++ b/dlls/ntdll/tests/rtl.c
@@ -49,6 +49,7 @@ typedef struct _RTL_HANDLE_TABLE
 static HMODULE hntdll = 0;
 static SIZE_T    (WINAPI  *pRtlCompareMemory)(LPCVOID,LPCVOID,SIZE_T);
 static SIZE_T    (WINAPI  *pRtlCompareMemoryUlong)(PULONG, SIZE_T, ULONG);
+static NTSTATUS  (WINAPI  *pRtlDeleteTimer)(HANDLE, HANDLE, HANDLE);
 static VOID      (WINAPI  *pRtlMoveMemory)(LPVOID,LPCVOID,SIZE_T);
 static VOID      (WINAPI  *pRtlFillMemory)(LPVOID,SIZE_T,BYTE);
 static VOID      (WINAPI  *pRtlFillMemoryUlong)(LPVOID,SIZE_T,ULONG);
@@ -80,6 +81,7 @@ static void InitFunctionPtrs(void)
     if (hntdll) {
 	pRtlCompareMemory = (void *)GetProcAddress(hntdll, "RtlCompareMemory");
 	pRtlCompareMemoryUlong = (void *)GetProcAddress(hntdll, "RtlCompareMemoryUlong");
+        pRtlDeleteTimer = (void *)GetProcAddress(hntdll, "RtlDeleteTimer");
 	pRtlMoveMemory = (void *)GetProcAddress(hntdll, "RtlMoveMemory");
 	pRtlFillMemory = (void *)GetProcAddress(hntdll, "RtlFillMemory");
 	pRtlFillMemoryUlong = (void *)GetProcAddress(hntdll, "RtlFillMemoryUlong");
@@ -930,6 +932,13 @@ static void test_RtlAllocateAndInitializeSid(void)
     ok(ret == STATUS_INVALID_SID, "wrong error %08x\n", ret);
 }
 
+static void test_RtlDeleteTimer(void)
+{
+    NTSTATUS ret;
+    ret = pRtlDeleteTimer(NULL, NULL, NULL);
+    ok(ret == STATUS_INVALID_PARAMETER_1, "expected STATUS_INVALID_PARAMETER_1, got %x\n", ret);
+}
+
 START_TEST(rtl)
 {
     InitFunctionPtrs();
@@ -962,4 +971,6 @@ START_TEST(rtl)
         test_HandleTables();
     if (pRtlAllocateAndInitializeSid)
         test_RtlAllocateAndInitializeSid();
+    if (pRtlDeleteTimer)
+        test_RtlDeleteTimer();
 }
diff --git a/dlls/ntdll/threadpool.c b/dlls/ntdll/threadpool.c
index 9c0dafe3ff4..af42b307f38 100644
--- a/dlls/ntdll/threadpool.c
+++ b/dlls/ntdll/threadpool.c
@@ -1005,10 +1005,13 @@ NTSTATUS WINAPI RtlDeleteTimer(HANDLE TimerQueue, HANDLE Timer,
                                HANDLE CompletionEvent)
 {
     struct queue_timer *t = Timer;
-    struct timer_queue *q = t->q;
+    struct timer_queue *q;
     NTSTATUS status = STATUS_PENDING;
     HANDLE event = NULL;
 
+    if (!Timer)
+        return STATUS_INVALID_PARAMETER_1;
+    q = t->q;
     if (CompletionEvent == INVALID_HANDLE_VALUE)
         status = NtCreateEvent(&event, EVENT_ALL_ACCESS, NULL, FALSE, FALSE);
     else if (CompletionEvent)