From 705228250741da2ca9a865d7b6d1f81651c554f7 Mon Sep 17 00:00:00 2001
From: Timo Kreuzer <timo.kreuzer@reactos.org>
Date: Wed, 12 Aug 2015 10:34:05 +0000
Subject: [PATCH] [WIN23K] Make sure to attach to the specified process before
 dereferencing ClientInfo, which is a user mode structure. CORE-l0017 #resolve

svn path=/trunk/; revision=68702
---
 reactos/win32ss/user/ntuser/message.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/reactos/win32ss/user/ntuser/message.c b/reactos/win32ss/user/ntuser/message.c
index f2929f3cc81..6b21310525b 100644
--- a/reactos/win32ss/user/ntuser/message.c
+++ b/reactos/win32ss/user/ntuser/message.c
@@ -2870,6 +2870,7 @@ NtUserWaitForInputIdle( IN HANDLE hProcess,
     NTSTATUS Status;
     HANDLE Handles[3];
     LARGE_INTEGER Timeout;
+    KAPC_STATE ApcState;
 
     UserEnterExclusive();
 
@@ -2915,6 +2916,8 @@ NtUserWaitForInputIdle( IN HANDLE hProcess,
     if (dwMilliseconds != INFINITE)
        Timeout.QuadPart = (LONGLONG) dwMilliseconds * (LONGLONG) -10000;
 
+    KeStackAttachProcess(&Process->Pcb, &ApcState);
+
     W32Process->W32PF_flags |= W32PF_WAITFORINPUTIDLE;
     for (pti = W32Process->ptiList; pti; pti = pti->ptiSibling)
     {
@@ -2922,6 +2925,8 @@ NtUserWaitForInputIdle( IN HANDLE hProcess,
        pti->pClientInfo->dwTIFlags = pti->TIF_flags;
     }
 
+    KeUnstackDetachProcess(&ApcState);
+
     TRACE("WFII: ppi %p\n", W32Process);
     TRACE("WFII: waiting for %p\n", Handles[1] );