https://git.reactos.org/?p=reactos.git;a=commitdiff;h=2255d5f5b648069fa889ed153794d0e6e7ab9444
commit 2255d5f5b648069fa889ed153794d0e6e7ab9444
Author: Pierre Schweitzer <pie...@reactos.org>
AuthorDate: Fri Nov 16 21:28:42 2018 +0100
Commit: Pierre Schweitzer <pie...@reactos.org>
CommitDate: Fri Nov 16 22:07:08 2018 +0100
[WIN32SS] Avoid an user-after-free in FontFamilyFillInfo().
CID 1441367
---
win32ss/gdi/ntgdi/freetype.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/win32ss/gdi/ntgdi/freetype.c b/win32ss/gdi/ntgdi/freetype.c
index ce655c5d3e..dd5e0064a5 100644
--- a/win32ss/gdi/ntgdi/freetype.c
+++ b/win32ss/gdi/ntgdi/freetype.c
@@ -2605,14 +2605,13 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR
FaceName,
sizeof(Info->EnumLogFontEx.elfFullName),
FullName);
- ExFreePoolWithTag(Otm, GDITAG_TEXT);
-
RtlInitAnsiString(&StyleA, Face->style_name);
StyleW.Buffer = Info->EnumLogFontEx.elfStyle;
StyleW.MaximumLength = sizeof(Info->EnumLogFontEx.elfStyle);
status = RtlAnsiStringToUnicodeString(&StyleW, &StyleA, FALSE);
if (!NT_SUCCESS(status))
{
+ ExFreePoolWithTag(Otm, GDITAG_TEXT);
return;
}
Info->EnumLogFontEx.elfScript[0] = UNICODE_NULL;
@@ -2623,6 +2622,7 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName,
if (!pOS2)
{
IntUnLockFreeType();
+ ExFreePoolWithTag(Otm, GDITAG_TEXT);
return;
}
@@ -2630,6 +2630,8 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName,
Ntm->ntmCellHeight = pOS2->usWinAscent + pOS2->usWinDescent;
Ntm->ntmAvgWidth = 0;
+ ExFreePoolWithTag(Otm, GDITAG_TEXT);
+
fs.fsCsb[0] = pOS2->ulCodePageRange1;
fs.fsCsb[1] = pOS2->ulCodePageRange2;
fs.fsUsb[0] = pOS2->ulUnicodeRange1;
