[WIN32K/USER] Fix callout object referencing in co_IntUpdateWindows

Move UserRefObjectCo, so that it covers co_IntSendMessage as well.
This caused a use-after-free during testing.

Author: tkreuzer

win32ss/user/ntuser/painting.c

@@ -519,6 +519,7 @@ VOID FASTCALL
 co_IntUpdateWindows(PWND Wnd, ULONG Flags, BOOL Recurse)
 {
    HWND hWnd = UserHMGetHandle(Wnd);
+   USER_REFERENCE_ENTRY Ref;
 
    if ( Wnd->hrgnUpdate != NULL || Wnd->state & WNDS_INTERNALPAINT )
    {
@@ -542,15 +543,15 @@ co_IntUpdateWindows(PWND Wnd, ULONG Flags, BOOL Recurse)
       Wnd->state &= ~WNDS_UPDATEDIRTY;
 
       Wnd->state2 |= WNDS2_WMPAINTSENT;
+
+      UserRefObjectCo(Wnd, &Ref);
       co_IntSendMessage(hWnd, WM_PAINT, 0, 0);
 
       if (Wnd->state & WNDS_PAINTNOTPROCESSED)
       {
-         USER_REFERENCE_ENTRY Ref;
-         UserRefObjectCo(Wnd, &Ref);
          co_IntPaintWindows(Wnd, RDW_NOCHILDREN, FALSE);
-         UserDerefObjectCo(Wnd);
       }
+      UserDerefObjectCo(Wnd);
    }
 
    // Force flags as a toggle. Fixes msg:test_paint_messages:WmChildPaintNc.