ntdll: Avoid NULL deref in RtlDeleteTimer.

2008-11-29 09:51:45 +11:00 · 2008-11-29 09:51:45 +11:00 · 6c597bac2e
parent 63908f039b
commit 6c597bac2e
2 changed files with 15 additions and 1 deletions
--- a/dlls/ntdll/tests/rtl.c
+++ b/dlls/ntdll/tests/rtl.c
@ -49,6 +49,7 @@ typedef struct _RTL_HANDLE_TABLE
 static HMODULE hntdll = 0;
 static SIZE_T    (WINAPI  *pRtlCompareMemory)(LPCVOID,LPCVOID,SIZE_T);
 static SIZE_T    (WINAPI  *pRtlCompareMemoryUlong)(PULONG, SIZE_T, ULONG);
+static NTSTATUS  (WINAPI  *pRtlDeleteTimer)(HANDLE, HANDLE, HANDLE);
 static VOID      (WINAPI  *pRtlMoveMemory)(LPVOID,LPCVOID,SIZE_T);
 static VOID      (WINAPI  *pRtlFillMemory)(LPVOID,SIZE_T,BYTE);
 static VOID      (WINAPI  *pRtlFillMemoryUlong)(LPVOID,SIZE_T,ULONG);
@ -80,6 +81,7 @@ static void InitFunctionPtrs(void)
    if (hntdll) {
 	pRtlCompareMemory = (void *)GetProcAddress(hntdll, "RtlCompareMemory");
 	pRtlCompareMemoryUlong = (void *)GetProcAddress(hntdll, "RtlCompareMemoryUlong");
+        pRtlDeleteTimer = (void *)GetProcAddress(hntdll, "RtlDeleteTimer");
 	pRtlMoveMemory = (void *)GetProcAddress(hntdll, "RtlMoveMemory");
 	pRtlFillMemory = (void *)GetProcAddress(hntdll, "RtlFillMemory");
 	pRtlFillMemoryUlong = (void *)GetProcAddress(hntdll, "RtlFillMemoryUlong");
@ -930,6 +932,13 @@ static void test_RtlAllocateAndInitializeSid(void)
    ok(ret == STATUS_INVALID_SID, "wrong error %08x\n", ret);
 }

+static void test_RtlDeleteTimer(void)
+{
+    NTSTATUS ret;
+    ret = pRtlDeleteTimer(NULL, NULL, NULL);
+    ok(ret == STATUS_INVALID_PARAMETER_1, "expected STATUS_INVALID_PARAMETER_1, got %x\n", ret);
+}
+
 START_TEST(rtl)
 {
    InitFunctionPtrs();
@ -962,4 +971,6 @@ START_TEST(rtl)
        test_HandleTables();
    if (pRtlAllocateAndInitializeSid)
        test_RtlAllocateAndInitializeSid();
+    if (pRtlDeleteTimer)
+        test_RtlDeleteTimer();
 }
--- a/dlls/ntdll/threadpool.c
+++ b/dlls/ntdll/threadpool.c
@ -1005,10 +1005,13 @@ NTSTATUS WINAPI RtlDeleteTimer(HANDLE TimerQueue, HANDLE Timer,
                               HANDLE CompletionEvent)
 {
    struct queue_timer *t = Timer;
-    struct timer_queue *q = t->q;
+    struct timer_queue *q;
    NTSTATUS status = STATUS_PENDING;
    HANDLE event = NULL;

+    if (!Timer)
+        return STATUS_INVALID_PARAMETER_1;
+    q = t->q;
    if (CompletionEvent == INVALID_HANDLE_VALUE)
        status = NtCreateEvent(&event, EVENT_ALL_ACCESS, NULL, FALSE, FALSE);
    else if (CompletionEvent)