[reactos] 01/01: [WIN32K] Fix 'use after free' in NtGdiStretchDIBitsInternal (#4122) - Ros-diffs

22 Nov 2021

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=b538b9abb8c5bb834f8551...
commit b538b9abb8c5bb834f855173fb77459456382d56
Author:     Doug Lyons douglyons@douglyons.com
AuthorDate: Sun Nov 21 19:57:36 2021 -0600
Commit:     GitHub noreply@github.com
CommitDate: Mon Nov 22 02:57:36 2021 +0100
[WIN32K] Fix 'use after free' in NtGdiStretchDIBitsInternal (#4122)
CORE-17861
---
 win32ss/gdi/ntgdi/dibobj.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/win32ss/gdi/ntgdi/dibobj.c b/win32ss/gdi/ntgdi/dibobj.c
index e8d3acc3d2d..c2b5a8fbb42 100644
--- a/win32ss/gdi/ntgdi/dibobj.c
+++ b/win32ss/gdi/ntgdi/dibobj.c
@@ -1489,7 +1489,6 @@ NtGdiStretchDIBitsInternal(
         if (pdc) DC_UnlockDc(pdc);
     }
-    if (pbmiSafe) ExFreePoolWithTag(pbmiSafe, 'imBG');
     if (pvBits) ExFreePoolWithTag(pvBits, TAG_DIB);
/* This is not what MSDN says is returned from this function, but it
@@ -1504,6 +1503,8 @@ NtGdiStretchDIBitsInternal(
         LinesCopied = pbmiSafe->bmiHeader.biHeight;
     }
+    ExFreePoolWithTag(pbmiSafe, 'imBG');
+
     return LinesCopied;
 }

    