https://git.reactos.org/?p=reactos.git;a=commitdiff;h=b538b9abb8c5bb834f855… commit b538b9abb8c5bb834f855173fb77459456382d56 Author: Doug Lyons <douglyons(a)douglyons.com> AuthorDate: Sun Nov 21 19:57:36 2021 -0600 Commit: GitHub <noreply(a)github.com> CommitDate: Mon Nov 22 02:57:36 2021 +0100 [WIN32K] Fix 'use after free' in NtGdiStretchDIBitsInternal (#4122) CORE-17861 --- win32ss/gdi/ntgdi/dibobj.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/win32ss/gdi/ntgdi/dibobj.c b/win32ss/gdi/ntgdi/dibobj.c index e8d3acc3d2d..c2b5a8fbb42 100644 --- a/win32ss/gdi/ntgdi/dibobj.c +++ b/win32ss/gdi/ntgdi/dibobj.c @@ -1489,7 +1489,6 @@ NtGdiStretchDIBitsInternal( if (pdc) DC_UnlockDc(pdc); } - if (pbmiSafe) ExFreePoolWithTag(pbmiSafe, 'imBG'); if (pvBits) ExFreePoolWithTag(pvBits, TAG_DIB); /* This is not what MSDN says is returned from this function, but it @@ -1504,6 +1503,8 @@ NtGdiStretchDIBitsInternal( LinesCopied = pbmiSafe->bmiHeader.biHeight; } + ExFreePoolWithTag(pbmiSafe, 'imBG'); + return LinesCopied; }