From 17371b346066897996ad257108d6230174a21559 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 12 Jun 2026 20:54:57 +0000
Subject: [PATCH] win32ss: fix TOCTOU in NtUserEnumDisplayDevices

---
 win32ss/user/ntuser/display.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/win32ss/user/ntuser/display.c b/win32ss/user/ntuser/display.c
index 642b5aa2a87e6..3fa715181dcc6 100644
--- a/win32ss/user/ntuser/display.c
+++ b/win32ss/user/ntuser/display.c
@@ -438,12 +438,13 @@ NtUserEnumDisplayDevices(
             /* Check the buffer size */
             if (pDisplayDevice->cb)
             {
+                DWORD cbCopy = min(pDisplayDevice->cb, sizeof(dispdev));
+
                 /* Probe the output buffer */
-                pDisplayDevice->cb = min(pDisplayDevice->cb, sizeof(dispdev));
-                ProbeForWrite(pDisplayDevice, pDisplayDevice->cb, 1);
+                ProbeForWrite(pDisplayDevice, cbCopy, 1);
 
                 /* Copy as much as the given buffer allows */
-                RtlCopyMemory(pDisplayDevice, &dispdev, pDisplayDevice->cb);
+                RtlCopyMemory(pDisplayDevice, &dispdev, cbCopy);
             }
         }
         _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)