From bb6769f4754d5bc8961b62219e20674058546fb3 Mon Sep 17 00:00:00 2001
From: Paul Chitescu <paulc@voip.null.ro>
Date: Fri, 18 Jun 2010 14:09:38 +0300
Subject: [PATCH] user32: Use a safer method of freeing user handles to prevent
 zeroing out a newly allocated handle.

---
 dlls/user32/win.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/dlls/user32/win.c b/dlls/user32/win.c
index 4dd89621c69..cbc949c024b 100644
--- a/dlls/user32/win.c
+++ b/dlls/user32/win.c
@@ -107,7 +107,7 @@ HANDLE alloc_user_handle( struct user_object *ptr, enum user_obj_type type )
         assert( index < NB_USER_HANDLES );
         ptr->handle = handle;
         ptr->type = type;
-        user_handles[index] = ptr;
+        InterlockedExchangePointer( &user_handles[index], ptr );
     }
     return handle;
 }
@@ -161,8 +161,8 @@ void *free_user_handle( HANDLE handle, enum user_obj_type type )
         SERVER_START_REQ( free_user_handle )
         {
             req->handle = wine_server_user_handle( handle );
-            if (!wine_server_call( req )) user_handles[index] = NULL;
-            else ptr = NULL;
+            if (wine_server_call( req )) ptr = NULL;
+            else InterlockedCompareExchangePointer( &user_handles[index], NULL, ptr );
         }
         SERVER_END_REQ;
         release_user_handle_ptr( ptr );
@@ -243,7 +243,6 @@ static WND *create_window_handle( HWND parent, HWND owner, LPCWSTR name,
 
     index = USER_HANDLE_TO_INDEX(handle);
     assert( index < NB_USER_HANDLES );
-    user_handles[index] = win;
     win->obj.handle = handle;
     win->obj.type   = USER_WINDOW;
     win->parent     = full_parent;
@@ -251,6 +250,7 @@ static WND *create_window_handle( HWND parent, HWND owner, LPCWSTR name,
     win->class      = class;
     win->winproc    = get_class_winproc( class );
     win->cbWndExtra = extra_bytes;
+    InterlockedExchangePointer( &user_handles[index], win );
     if (WINPROC_IsUnicode( win->winproc, unicode )) win->flags |= WIN_ISUNICODE;
     return win;
 }
@@ -271,8 +271,8 @@ static void free_window_handle( HWND hwnd )
         SERVER_START_REQ( destroy_window )
         {
             req->handle = wine_server_user_handle( hwnd );
-            if (!wine_server_call_err( req )) user_handles[index] = NULL;
-            else ptr = NULL;
+            if (wine_server_call_err( req )) ptr = NULL;
+            else InterlockedCompareExchangePointer( &user_handles[index], NULL, ptr );
         }
         SERVER_END_REQ;
         release_user_handle_ptr( ptr );
@@ -815,7 +815,7 @@ static void destroy_thread_window( HWND hwnd )
         if ((wndPtr->dwStyle & (WS_CHILD | WS_POPUP)) != WS_CHILD) menu = (HMENU)wndPtr->wIDmenu;
         sys_menu = wndPtr->hSysMenu;
         free_dce( wndPtr->dce, hwnd );
-        user_handles[index] = NULL;
+        InterlockedCompareExchangePointer( &user_handles[index], NULL, wndPtr );
     }
     USER_Unlock();
 
-- 
2.11.4.GIT